Hubert H. Humphrey Building
Room 503A
200
Independence Avenue, SW
Washington, DC
PARTICIPANTS
Committee:
Robert M. Gellman, J.D., Chair
Simon P. Cohn, M.D., M.P.H., FACP
Kathleen A. Frawley, J.D., M.S., RRA
Richard K. Harding, M.D.
Sheila T. Leatherman
Elizabeth Ward
Staff:
John P. Fanning, J.D.
Harvey, Schwartz, Ph.D.
Speakers:
Kathleen Fyffe, Health Insurance Association of America
Richard Kowalski, General Motors
David Larson, American Association of Health Plans
Robert Burleigh, International Billing Association
Jeanne Schulte Schott, Association for Electronic
Health Care Transactions
Tom Gilligan, Association for Electronic Health Care
Transactions
TABLE OF CONTENTS
Page
Call to Order - Mr. Gellman 1
Insurers and Employers:
Richard Kowalski, General Motors 3
Kathleen Fyffe, HIAA 10
David Larson, Amer. Assoc. of Health Plans 13
Claims Processors and Other Intermediaries:
Robert Burleigh, International Billing Assoc. 109
Jeanne Schulte Scott, AFEHCT 115
Tom Gilligan, AFEHCT 122
P R O C E E D I N G S (9:08 a.m.)
MR. GELLMAN: If everyone could take a seat, we will begin. Let me start by setting the scene here. This is the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics, under administrative simplification, subtitle of the Kennedy-Kassebaum bill, Health Insurance Portability and Accountability Act.
The secretary is required to submit a report to the Congress in August containing detailed recommendations on health privacy. This committee will submit recommendations to the secretary, to help her formulate her own views on the issue.
The committee decided last year to form a subcommittee on privacy and confidentiality to start exploring the issue, and as a method of helping to develop recommendations. Basically, that is what we are doing today. We held two days of hearings in January, and there are two additional days of hearings later this month.
The purpose of the hearings is to explore in detail, the options, choices and trade-offs that are inherent in any privacy legislation. We expect to cover the full range of fair information practices, patients' rights, limitations on use and disclosure of information, health ID number, preemption of state law and privacy enhancing technology.
This is not going to be a classic Washington hearing where witnesses read long statements, answer a few questions and then go home. We are going to have as much discussion as possible. If you looked at the agenda, you see that we have one panel for the morning. Witnesses will be given five minutes to make presentations, and we will spend the rest of the morning in discussion.
The next hearings in the series and the last two are scheduled for February 18 and 19. The subjects to be covered at those hearings are yet to be determined, so you can watch our Web site for more information when it is available.
There is an opportunity for public comments at the end of the day, scheduled for some time after 4:00 p.m. when we are done. There is a sign-up sheet for public comments at the table in the back, so if anyone is interested, they can sign up in advance.
What we are going to do now -- it's a tradition of the committee at least to have everyone in the room introduce themselves. We are going to begin with the people up here and then go around the audience. If you care to identify yourself, you are welcome to do so.
[Introductions were made.]
Thank you all.
I think we are going to begin with the witnesses. As I said, I'm giving you each five minutes to make a statement, and I will cut you off after the five minutes, because you will discover that we will use the rest of the morning for questions, and there will be plenty of opportunity to say what you wish.
Would you like to begin, Mr. Kowalski?
MR. KOWALSKI: Good morning. My name is Richard Kowalski. I am an occupational health nurse, employed by North American Operations Personnel for General Motors. I have been with them for 26 years as a general supervisor of the medical departments.
My responsibilities include general supervision over nursing services at 10 manufacturing plants, which run 3 shifts a day. Our medical departments are staffed by physicians, nurses, physical therapists and athletic trainers. We serve approximately 26,000 employees of Delphi and power train divisions, of whom are represented by the United Autoworkers Union.
The medical staff diagnoses and treats occupational injuries and illnesses, provides medical surveillance, offers various work site health promotion programs. We perform blood work, drug screen, x-rays and EKGs, coordinate referrals to specialty providers. Our department is also responsible for medical rehabilitation and return to work programs.
I realize that many companies are not large enough have in-house medical departments, however, that does not mean the smaller employers should not also obtain health information about their employees. Large and small employers have a duty to protect the health and safety of their workers, and both have certain legitimate needs for health information about their employees.
Safety and health programs are implemented to identify and reduce hazards to employees. The safety programs operated by GM includes a medical surveillance component to monitor employees who are exposed to toxic chemicals or dangerous substances. Many such medical surveillance activities are mandated by OSHA, and both large and small businesses provide various medical surveillance services to potentially exposed employees either in-house or through outside providers who generally work under contract.
Prudent employers also want to be sure that their employees are medically fit to perform the functions of their job. Several employers, such as those in the transportation industry are required by law to periodically access the physical fitness of their employees. Accordingly, many employers, regardless of size, require physical exams before new hires are allowed to begin work, or sick or injured employees are allowed to return to work.
Again, these exams can be performed in-house by a contract health care provider. Personal health information is also collected through work site health promotion programs, especially programs that involve risk assessment surveys. These are just a few examples of the types of health information obtained through an individual's place of employment.
I would like to talk to you today about privacy issues related to health information obtained at the work site. No law can effectively protect individual privacy in a comprehensive way unless there are a measure of appropriate limits to access to personal identifiable health information obtained at work sites across this country.
I do not pretend to be an expert on various confidentiality bills introduced last session, but I know that none of the bills adequately protected the privacy rights of employees, because the bills failed to limit employer disclosure of personally identifiable health information.
Based on my experience, I know that employees' personal health information can be collected and properly utilized in the workplace, while maintaining the individual's right to privacy. Health professionals can provide management with aggregate data relating to the effects of hazards and exposures. They can also inform management about an individual's fitness to work without disclosing a diagnosis or other personal health information.
Frequently, when an employee's supervisor or company human resources representative asks to see health record, the supervisor or human resource representative will cite the need for information to determine if the employee has a legitimate reason for missing work or being restricted.
In essence, the supervisor or the human resource representative is attempting to second guess the health professional's opinion by making his or her own determination about the employee's fitness to work. Companies can avoid breaching an employee's confidentiality without compromising productivity by adequately defining the physical requirements of the jobs, and educating health professionals serving their employees about these requirements.
GM's company policy on confidentiality states it is the obligation of health services personnel to protect the confidentiality of any private information which may be acquired from an employee/patient. This policy is based on the presumption that trust is key in the development of an open, workable provider-patient relationship, and the recognition that such generally will be destroyed by the disclosure of confidential information without the employee's prior consent.
GM wants its employees to participate fully in health benefits programs it provides, and the company knows it must give proof to its employees that their health information will be kept confidential to insure such participation.
GM also requires that the inappropriate release of personal identifiable information be discouraged in the reporting of safety incidents. Moreover, sound, effective confidentiality policies can help the company avoid allegation of discrimination against ill or injured employees.
Medical records confidentiality laws are currently developed by the states, and almost half the states have no such laws. Even in those states with medical records statues, the laws are frequently outdated, because they were enacted when all medical records were pieces of paper locked in physicians' file cabinets and hospital record rooms.
Moreover, the medical records confidentiality laws rarely consider health information obtained in the workplace. In fact to my knowledge, only California statutes specifically regulates the use of disclosure of health information obtained at the work site.
The existing patchwork of nonexistent or outdated state laws governing medical records and patient privacy results in disparities and complexities for both individuals and multi-state employers.
Concern about issues of personal health information increasing. The Washington Journal has run a series of articles about abuses of confidentiality over the last year, including an article dealing with the misuse of work site health data.
For a variety of reasons, including the boom in personal computer use, the growth of the Internet and the increasing promise of regional/national health care providers, and regional/national health insurance, the rapid development of new genetic testing technology, and proliferation of corporate restructures and downsizing, people are more aware of the potential abuses of their health information.
With the spread of information technology, as well as efforts to streamline insurance claims processing, the opportunities for the misappropriation of health information will increase. The problem cannot be addressed entirely by the state level, because health information, like all other kinds of information increasingly needs to flow across state lines.
Thus, Congress must act both to facilitate appropriate exchanges of information, and to protect individual privacy by enacting comprehensive health information confidentiality legislation. Though some employers continue the appropriate use of records for health and safety programs, work site health promotion programs, and employee assistance programs, where there may be hiring, promotion and disciplinary decisions.
I encourage this committee to include specific provisions to protect health information obtained at the work site and any recommendations prepared for Congress.
My company's comprehensive confidentiality policy has not impeded General Motor's ability to do business and helps to maintain a productive work force. Our employees can trust that the information shared with health service staff will be appropriately handled.
In conclusion, I would like to restate the confidentiality protections for work site information can be implemented without impeding a company's ability to do business, and can benefit employers by serving to encourage employee participation in work site health promotion programs, and appropriate use of health benefit services, preserving employee trust, which is necessary in a provider-client relationship, and limiting a company's exposure to discrimination claims.
Thank you for the opportunity to address the committee. I'll be glad to answer any questions.
MR. GELLMAN: Thank you very much.
Kathleen, I think you are next.
MS. FYFFE: Thank you, Mr. Chairman.
Good morning. I am Kathleen Fyffe, the Director of Operational Systems at the Health Insurance Association of America. We are also known as HIAA.
HIAA is a trade association representing 300 commercial health insurance companies, managed care plans and Blue Cross plans. Our member companies provide products as such: health insurance, dental insurance, disability income insurance, long term care insurance and Medicare supplemental insurance.
We are very grateful this morning for the opportunity to provide testimony about health confidentiality issues to this committee. HIAA wholeheartedly agrees that protection of personal health information is vitally important to the people of the United States, and is an important aspect of health care reform.
Our member companies have much respect for the confidentiality of health information which is under their control for payment purposes. Typical policies and procedures involve the signing of confidentiality statements by health insurance company employees, which expressly forbid them to disclose confidential data about patients. Most importantly, the statement includes consequences, so that if such disclosure occurs, the employees are terminated from employment.
We respectfully request that as this committee formulates its recommendations about privacy legislation for the secretary, the following points be carefully considered. First of all, that the recommendations be consistent with the ultimate goals of administrative simplification in health care, which are as follows: to increase efficiency in the system; to decrease costs; and most importantly, to improve patient care.
Secondly, we ask that we keep in mind that well intentioned, but onerous administrative burdens placed on providers or payers can increase costs to patients.
Number three, it is important that privacy recommendations be flexible. That is, flexible enough to suit the fluid organizational changes of today's health care marketplace.
Four, the recommendations should exercise caution with respect to the procedures for correcting or amending protected health information. There have been legislative proposals which imply that patients are qualified to make changes to medical records. We believe that any changes to medical records should be managed through a patient's physician or other appropriate provider who is appropriately qualified to make determinations regarding changes.
Number five, it is very important to our member companies that federal supersede state law in the area of privacy of health information. Our members have multi-state operations, and it is difficult and expensive administratively to comply with varying state laws.
Lastly, we firmly believe that privacy protections should allow for coordinated patient care services in network-based health care plans. Such health care plans offer coordinated health services to patients, and therefore it makes sense to enable patients to provide a single authorization for such things as: treatment, payment of services, utilization review and health plan management services.
This single authorization enables coordinated patient care, and facilitates efficient and appropriate sharing of information among health care providers and plans in order to provide patients with high quality health care services.
Again, the HIAA appreciates greatly the opportunity to testify before this subcommittee this morning, and I would be happy to answer your questions.
MR. GELLMAN: Thank you very much.
Mr. Larson?
MR. LARSON: My name is David Larson. I'm Director of Health Services at Intermountain Health Care. Based in Salt Lake City, Utah, IHC is an integrated, not-for-profit health care system consisting of 23 hospitals, 33 clinics, 16 home health agencies, 300 employed physicians and IEC health plans, a mixed model HMO with an enrollment of 350,000 members including Medicare and Medicaid beneficiaries.
Today I am testifying on behalf of the American Association of Health Plans, which represents 1,000 HMOs, PPOs and similar network plans providing care to over 120 million Americans. I appreciate the opportunity to participate in today's hearing.
AAHP supports this committee's efforts to protect against the unauthorized and inappropriate use of patient information, while at the same time facilitate the coordination and delivery of high quality, network-based health care.
It is important that your recommendations recognize the special needs of integrated delivery systems. Network-based care relies on the coordination of patient care by providers, and effective, quality enhancing activities which include: quality assurance programs; data analysis for disease management activities; outcomes research on safety, efficacy, cost effectiveness and quality of life; accreditation and certification activities; and provider screening and profiling.
A significant number of these activities, which I will elaborate on later, require the use of individually identifiable information. In addition, even in cases where non-identifiable information can be used, health plans must be able to link the non-identifiable information back to a specific individual in the event that a more effective treatment protocol or a previously unknown health risk is identified.
For example, a portion of IHC's effort to improve clinical and service quality centers on the develop of care process models or practice guidelines. In developing care process models for chronic conditions such as asthma and diabetes, individual patient information is used to identify members at risk of complications, or who are not receiving care consistent with the best care guidelines. IHC reaches out and communicates directly with those patients and their primary care physicians concerning the patient's profile of care and use of medical services.
As an integrated delivery system, IHC is responsible for the health outcomes of the patients who seek care from our system. In order to manage and improve the health outcomes of the population we insure, we must be able to share information among IHC corporate entities, our physicians, hospitals and health plans.
IHC has developed electronic medical records and common databases to facilitate this communication. Preventing the creation of these common databases limiting the type of data which can be shared within the IHC integrated delivery system, or requiring a patient's authorization for each and every transaction and transfer of data would severely limit IHC's ability to measure and improve the health outcomes of our enrollees.
IHC has invested in many efforts to insure security and confidentiality of health information. Included in these efforts are: the development of an IHC employee confidentiality agreement; consequences for improper use of handling of confidential information; access to patient information by need to know, and by job description; software controls, including warnings on front log-in screens, unique log-on passwords and computerized audit trials; and a proactive stance in development of local and national confidentiality policy.
IHC has spent significant time and effort in addressing the issues surrounding the appropriate use of medical record information. Use of this information is critical to our delivery system's operations and efforts to improve our members' health outcomes.
I look forward to providing you with more specific information on how IHC uses and protects identifiable information.
MR. GELLMAN: Thank you. Thank all of you. The statements were all quite good.
I'm going to just proceed by basically having a discussion here of a whole variety of issues relating to the topic. I just want to make it clear that it is just a discussion. This isn't a congressional hearing. We are not asking people to make binding statements on behalf of their organizations, so that's understood. Respond as you feel appropriate. Where there is uncertainty or doubt about things, feel free to say so, because there is plenty of uncertainty to go around in all the legislation.
Let me begin with some very broad questions. Congress has obviously decided that some kind of comprehensive medical privacy legislation is needed. That is what you find in Kennedy-Kassebaum. Obviously the scope and the details have been left for the future, and that's part of what we are doing here, is to try and get into some of those issues.
Do any of you want to take issue with the broad congressional judgment that medical records need better legal protection?
Do I take it that no one wants to take issue with that?
MR. LARSON: I would like to speak briefly on that issue. I don't have any evidence within our delivery system of need for tighter controls. I think we have taken our own initiate and recognize internally the issues associated with records, and have taken significant steps forward in trying to assure those efforts.
We have done that despite federal legislation or state legislation. There are many laws in the state of Utah associated with medical record confidentiality. I'm not sure that creating federal legislation will insure confidentiality of information any more than state laws have insured confidentiality. It comes down to the individual actions taken by those who safeguard records, to see that they are safeguarded.
MR. GELLMAN: Federal legislation offers the benefits of uniformity of regulation throughout the country. Do you think that is a valuable justification for federal legislation, or do you still think you can fend for yourself?
MR. LARSON: I think that would be of value. In reviewing with our counsel, the state laws in the state of Utah, there are many different laws, not just one law that pertain to the confidentiality of medical records.
In looking at a federal law compared with state laws, the concern is one of uncertainty as to how broad the federal legislation will be, and will it look at all the specific issues that the individual laws within the state address? If it preempts those individual laws, will there be loopholes, or will there be unaddressed issues, because the federal law isn't comprehensive of all individual issues that multiple state laws address?
MR. GELLMAN: In other words, you are not willing to buy a pig in a poke?
MR. LARSON: Right.
MR. GELLMAN: The legislative scheme in Kennedy-Kassebaum is that either there will be federal regulation in three years, or the secretary of HHS will be authorized to write regulations governing at least a part of the world of medical records. Would you prefer legislation or regulation as an approach to this?
MR. KOWALSKI: I not only work for General Motors, but I am on the governmental affairs committee for our national association, the American Association of Occupational Health Nurses. As I said, I have been an occupational health nurse for 26 years. There are a lot of nurses around the country that are the only medical person; in certain companies there is no physician present.
Historically, that's one reason it's a big issue not only for our association, but the American College of Occupational Physicians. The abuse of confidentiality -- they are intimidated and threatened with their job if they don't release the information to whatever personnel people, supervisors come in off the floor.
Any legislation -- any mandated anything would be a help, because this is something we have been fighting for years. There are anecdotal stories of workmen's compensation people coming in, getting information in a small town, and they know everything, every surgery and every problem that anybody has had in a small town. They carelessly get the information and then just give it away to whoever they are talking to, so anything would be helpful.
MS. FYFFE: We would prefer federal legislation over regulation through the secretary alone. Many of the federal legislative proposals in the past Congress have had bipartisan support, and I think that that would be the direction that we would want to go in.
MR. GELLMAN: Let's get into some of the more specific issues. I want to start talking about insurance, third party payers. Some insurers are providers; some insurer aren't. Some insurers are employers; some insurers aren't. It obviously makes life very complicated in figuring out how to regulate all of this.
When the insurer is not the provider, and this could apply even to an HMO that may be using an outside physician, the insurer gets limited amounts of information about a patient encounter. If the insurer wants more information about a particular transaction, then it has to ask.
That's a fair description of the way things work?
MS. FYFFE: Yes.
MR. GELLMAN: This is the source of at least some complaints. I have constantly heard over the years that insurers always seem to ask for entire medical files, even when a payment request is for a single encounter. How common is this? How often is more requested? How often is an entire medical record or a large portion of a medical record acquired in connection with the processing of an individual payment request?
MS. FYFFE: Let me comment on that. In a prior professional life I was director of patient accounting at a couple of hospitals. It was my experience that insurers would ask for specific pieces of information in a medical record, however, it took so much time for my staff to cull out those pieces of information, that it was administratively easier for me to simply request a entire photocopy of medical record and sent it to the insurance company.
MR. GELLMAN: So it's not necessarily that the companies want all the information, it's just easier for the provider to do it?
MS. FYFFE: Correct, in some cases, yes. You could have a medical record that is six inches wide for a chronically ill patient. Going through that, and culling out specific pieces of information is very time consuming.
MR. LARSON: We have a policy on handling of medical records. In it, it explicitly states that we don't require the whole chart, or we should not ask for the entire chart; only those pertinent bits of information that pertain to the case. In fact, our reimbursement policy for the acquisition of medical records within our system allows for no charges to be for basic information within the chart, but when we ask for the whole chart, then there is a chart associated. So there is an incentive not to ask for the whole chart.
MR. GELLMAN: Do you have the same experience, that you might get the whole chart anyway?
MR. LARSON: We might get the whole chart, even though we didn't ask for the whole chart.
MR. KOWALSKI: Our experience in industry is the requests come in for any and all. They ask for everything, and it becomes a burden, because you have to photocopy the entire medical record. I'm sure they don't need it, but they always ask for any and all; anything they can get, they want.
MR. GELLMAN: You have described a pattern of practices in your company that are relatively restricted. Are there any internal policies within other companies or industry standards that regulate what is sort of within the scope of a legitimate or routine request for more information on a particular encounter?
MR. LARSON: I'm not positive, but I think within the accreditation standards of URAC -- Utilization Review of Accreditation -- they have a standard that seeks to limit the type of information you request, only to the information that is pertinent to in this case, the utilization review provisions that are being reviewed. So they seek to limit that. If an organization is accredited by that body, then they would have to show that they have such a policy in place.
MR. GELLMAN: Well, some of the legislation, and I think you would probably find something very similar in all of the bills that have been introduced to date would require that all disclosures be limited to the minimum amount of information necessary to accomplish the purpose for which the information is being disclosed.
Do you like that language? Do you like that idea? We're not talking about specific language here, just concepts. Does that seem to work? It sounds like it is what you just described.
MR. LARSON: It does. It would force the requestor to be more specific, and to think before acting in terms of what information they really need, and then seek to obtain that. Then rely upon the provider to provide the information that is requested.
MR. GELLMAN: Kathleen?
MS. FYFFE: I think that that has been the policy of our member companies for a long time, that you request a minimum amount of information necessary. Whether you get that or you get something else is another issue.
I would also like to make another comment. I served on the WGEDI, the Work Group for Electronic Data Interchange, Attachments Subcommittee a couple of years ago. One thing that we discovered in our discussions was that one of the reasons if you will, for the increase in requests for information from providers had to do with managed care, and the goal of managing the cost of the care.
In fact, there was one large teaching hospital on the West Coast that found that it was getting more requests from managed care organizations than from other types of payers.
Perhaps in the long run when the medical record becomes electronic, there will be a decrease in those demands, but again, for managing the care, there were a lot of requests for additional information.
MR. FANNING: Do you have the impression that they wanted information on named patients to make a choice with respect to that patient? Or were they doing a kind of a statistical analysis?
MS. FYFFE: I don't know.
MR. GELLMAN: If we have a standard that says everyone has got to limit disclosures to the minimum amount necessary to accomplish the purpose, who gets to decide what the minimum amount is? Is it the person making a request or the person making the disclosure?
MR. LARSON: I would say the person who is making the request. They are the ones who know the purpose of the request. They know the limits of their study. They know the outcomes they are trying to achieve. Anybody else would be second guessing that.
MR. GELLMAN: I'm not trying to quibble over this, but I just wonder if that doesn't put the requestor in a position of sort being self-regulatory, where they don't necessarily have an incentive to limit the requests. Arguably at least, under the standard, the person who is making the disclosure is the active party here in terms of making information available.
If they may not present concern about liability for accidently or carelessly disclosing more information than fell within the scope of the request, because it may not be that clear. You may not know if you are the recordkeeper, the specific purposes or scope of what the requestor is doing with the information.
Where I'm headed here is simply the concept is a good one, and it seems to make sense, and it's a fairly standard principle of privacy to limit disclosures to the minimum amount necessary. When you start looking at it in the context of specific transactions, that requires judgment and decision making on the part of two or more players. If people are worried about the problems and legal liability that could arise from that?
MR. KOWALSKI: I think what you said, whatever the requester wants, but as long as they are confidential, that's the basis of it. I think it ties back in with your previous question of the specifics. If they know what they want, and they ask specifically where and what they need, it is a lot easier to provide than any and all when you have to get all physical exams, all records and everything, that probably 75 percent of it doesn't even pertain to what they want, yet you have to get it if you don't specify it.
I think if you can specify it, and the requester is the one that wants, if they specify what they want, as long as all those records are confidential, I don't see what the problem would be.
MS. FYFFE: There is a certain amount of professional judgment on both ends. If I, as an insurance company, want information about a person's diagnosis or procedure, or a certain episode of care in a hospital, I could be specific about requesting operative reports or lab tests, or I might be a little more broad than that.
Then it becomes the judgment of the provider to go through the medical record and provide information related to that episode of care. So I think that for practice purposes we have to rely on the judgment of the requester and the provider at both ends.
MR. GELLMAN: Is it always clear to the provider what the purpose of the request is?
MS. FYFFE: I don't know.
MR. LARSON: Often the case is it is probably not.
MR. GELLMAN: So do perhaps we need to have to think about a requirement that when requests are made, that they have to indicate what the purpose is, so that you can exercise some kind of professional judgment on the disclosure end?
I see people nodding their heads.
MR. KOWALSKI: That sounds reasonable to me.
MR. LARSON: I think in my case I would say that would be fairly onerous. I would prefer to have questions asked on the provider or if I'm being asked to copy or provide a whole chart, and I'm going to second guess the need for that request, versus if there is a carefully worded request that requests certain pieces of the record, I'm going to question that less.
DR. HARDING: I'm a psychiatrist and I get any and all requests almost constantly, usually from a date to a date, and they want the whole chart from that time, all lab tests, psychological tests, progress notes, everything. That's standard. I don't think I have ever had anything else in the last couple of years from various companies. That's just an aside.
I'm interested a little bit in the tension, Mr. Kowalski, that you were describing between the employers and the health department within your association, not just speaking specifically for GM, because I am sure it is present in others.
Where you were saying that sometimes you are pressured to release information by the company that is a medical confidentiality issue. Could you say a little more about how that happens, and what the tension is between human resources and the health department?
MR. KOWALSKI: Well, a lot of occupational health nurses work in various settings across the country. They will get either a supervisor or a personnel person, human resources, whatever, will come in and ask, somebody might have been off for whatever reasons, and they want to know what the reasons were.
There is a lot of information -- they could have been off, in this day and age more AIDS and HIV or some other confidential reason, like an abortion or some other solid that you don't want to give that information to them. They have to trust your judgment as a medical professional that they had a valid reason to be off, and that they were covered by their family physician or their HMO or whatever, and they are returning back to work.
They demand that they want information. In fact, one of our nurses a few years back was fired from a hospital in New York. Both our associations helped with that legal defense. We ran into a New York state law that she refused to give the diagnosis off the return to work slip. Unfortunately, she was even in a hospital, in which you would figure confidential information would be even more secure than out in industry.
She was fired because she refused to give it. We ran into a problem with the state laws of New York on the suit, but those are the issues that those nurses face. I don't know how they end up either denying it or sometimes being forced into giving the information, when if you don't give the information, you are hired by the company; it is your job to provide the information, and they have to give it. I can't say in some cases it's right or wrong, but if they don't give it, they lose their job.
DR. HARDING: So there's an inherent tension.
MR. KOWALSKI: This is the number one issue that our occupational health nurses have been -- I have been on the national nursing board for 10 years, and we have been fighting this issue. It is our number one issue on our job, especially more and more today, because everybody wants to know all this information about this employee, and they really don't need to know the diagnosis part of it.
DR. HARDING: I was wondering if you could see a similarity between that and perhaps a physician/employee of a managed care company, who was asked for specific information about an individual, and would be in the same position, where the employer is asking and "needs to know," and what would be that person's individual responsibility? It's a similar issue, I think.
MR. KOWALSKI: I think it's the trust of the professional judgment of the physician or the nurse that the person has a legitimate, confidential diagnosis or whatever they have, that they don't need to know. We can provide all the information around that, but they don't need to know that specific thing. It is almost like they have to know, they have to know.
It doesn't make any difference regarding placing that person on the job, looking at their restrictions, whatever it takes. You can facilitate that, but it's like they've got to know the reason.
DR. HARDING: So they would in effect go around somehow or other. They don't look at the record, they pressure the recordkeeper to 'fess up in effect, so that they didn't invade the privacy of the record, they got somebody to talk.
MR. KOWALSKI: They will try a lot of different avenues. Then they will come back, either give us the information or you are fired.
DR. HARDING: But they can say they didn't look at the record. Privacy was maintained, it's just that somebody paid the penalty for that.
MR. FANNING: Can I ask a question? I want to follow-up on Dr. Harding's point. There has been a certain amount of criticism, especially from the psychiatric community that managed care payers are requiring a great deal of information about the patients that goes beyond diagnosis, to the discursive details of the patient's situation.
Are the managed care organizations or others developing some kind of standard form what it's proper to ask of the treating physician, especially in psychiatric care? Are there standards for what is done with that information once it arrives back in the central location?
DR. HARDING: I would just add the addition of infectious disease and OB/GYN issues too, not just psychiatric.
MR. LARSON: I can address parts of that question. We have instituted a process where most of our mental health review on a prospective basis is done through a standardized form that is filled out, instead of requesting medical records. We do request records for claims payment purposes if there are questions.
Those records are handled through a special unit that just handles mental health review. Those records are maintained, and we have a digital imaging system where those records are scanned into a queue or a special file that has restricted access. So we handle those specifically in that way.
MR. FANNING: What sort of questions are asked in the standardized form for prospective authorization?
MR. LARSON: Information concerning type of therapy that they are performing; their estimation of the duration; goals of treatment; what they hope to accomplish; looking for short term goals and brief treatment goals, instead of long term associations and relationships.
MR. FANNING: Does it ask for details about the patient's situation, symptoms and life circumstances and reason for seeking treatment?
MR. LARSON: In brief statements, yes; not in the detailed history.
MR. SCANLON: Can I follow-up a little bit on how the situation works in a managed care setting, the relationship with the employer? Intermountain is probably a good example.
In general, the medical record resides with the practitioner, the doctor or the hospital. In a health plan setting, again, sort of a staff model, the health plan itself would be the provider. Providers would be employees of the plan. They would be one in the same.
In other situations which are networks or other sorts of models, clearly again, I guess the medical record resides again, with the provider, but again, as you are suggesting that the plan for management or other reasons, does get some sort of reports for statistical purposes or for review, for utilization review, for quality assurance from the plans itself.
Does the case often occur where if Intermountain for example, is under contract with an employer, that the employer then would ask for some either statistical information on the performance of their enrollees or an individual information?
They come to Intermountain and say, well, we're a little worried about -- obviously, they are paying per capita, but they would like to see utilization patterns perhaps for individuals. Would that be the case very often?
MR. LARSON: We have a standardized report and a standardized request and standardized expectations from our employer groups that the information they would like to see. We don't provide information that is identifiable at the individual level. So for example, if there are less than 25 members in any one cell within the report, then we don't provide that information, so that you can't, through the process of elimination, identify individual members.
We do occasionally get requests from employers, usually the human resources side of an employer, asking for information about an individual patient or employee. Usually they feel they are acting in the best interest of the member in that the member has expressed concerns or complaints about services provided, and the employer is thinking they are acting as an advocate for the patient, instead of against the patient.
We have to remind them of our stance of not providing that confidential information, but often times an employer already knows certain bits of information, because the employee has been forthcoming and already told the employer about their situation, and really is requesting that the employer act as their advocate.
MR. SCANLON: Kathleen, would the case arise similarly when an employer tracks with one of the either indemnity or other health insurance plans? Again, they are interested in either cost control or utilization review or something else. What sort of requests might come?
MS. FYFFE: I'm not prepared to give a detailed answer on that, but certainly there are situations where insurance companies have an ASO arrangement with an employer, which mean administrative service only. I could find out for you and let you know, but I don't know the details.
MS. WARD: Certainly in our state more and more concern is being expressed from the consumer around genetic testing. I was wondering particularly perhaps for Mr. Larson and Ms. Fyffe whether you see things back from your view, concern about special protection or concerns from that are of protecting genetic testing, and what circumstances genetic testing and genetic information may be shared?
MR. LARSON: We've had a request -- IHC is actively involved in a lot of research. We have a request from an outside entity to use or data in cancer research from a genetic standpoint. We have provided information to them in an encrypted format for their review. None of the information that they obtained, the results of the genetic testing, is forwarded back to us, so we don't know the individual outcome of the patients in terms of what their genetic study resulted in.
More issues surrounding genetic testing are based on whether genetic testing should be covered, and for what reasons should it be covered under the health plan, versus trying to find out what the results of genetic testing are, and then using that information in a reverse process to limit coverage.
We don't obtain any of that information directly; only through what would be submitted through medical record requests, and intentionally would we ever find out or make request if somebody's genetic testing for purposes of coverage or payment.
DR. HARDING: The issue of correcting medical records that I think you brought up Ms. Fyffe. How would a large group do that? Let's just say a patient comes into a large managed care company, and wants to look at their medical record and correct it. How do we know the appropriate correction is being done and so forth? In large organization, how will that be done? Maybe I'm asking something that you aren't aware of.
MR. LARSON: Exactly. That's not part of my responsibility at the plan, to be responsible for the medical record itself, and safety to the medical record in the delivery sites. So I don't have an answer for you on that.
MR. GELLMAN: Let me try and provide some background on this and see if it helps. Already about half the states have patient access laws. I think that there is probably a relatively common set of access and correction rules. There are some differences in the bills that have been proposed, but the correction is not the conception and the legislation is not that a patient will be given a record and can just write in any changes they want. None of the bills contemplate that.
If you look at the kinds of corrections that might come about, a patient might look at a record and say, no, no, you have my birth date wrong; something of a relatively simple factual question.
You then may also have questions or problems where a patient says, I don't agree with that diagnosis code. I don't have appendicitis, whatever -- the doctors can always do better in coming up with examples than I can. That is clearly a substantive problem, where a patient disagrees with the medical judgment.
None of the bills give the patient the right to make a change. If there is a disagreement about whether the patient's change is correct or appropriate, the remedy that is provided is that the patient can put a statement of disagreement of some sort in the record that says I don't agree with the diagnosis in this case, but it doesn't change the record.
Nor do any bills actually require that any information be removed from the record, even if the patient is correct, and that the information is wrong. The record would be supplemented with a note so that you would not actually change the basis that the information that appeared in the record, in a way that would undermine the purpose of the record as a record of what actually was done and why, because if you thought a patient was 30 years old and it turns out he was 40, you might have treated him differently in some cases.
So it is a fairly loose kind of a requirement reflecting the fact that a medical record contains professional judgments that many patients will not really effectively be able to question. So that in terms of how you implement and deal with this -- by the way, it's not just medical records that the rules apply to.
The same thing would apply to health insurers for example, who would be considered health information trustees under all the bills. Their records would be subject to patient access and correction as well, under the same standards of course, where it is even harder, because a health insurer will have a record that reflects judgments made by other people, namely the providers, and may not be in a position to say we don't have any basis to question this. You can go back to the provider and ask them to change the information.
So it's a complicated thing, but the structure of this is simply not patients can come in and do anything they want to their own record. In devising procedures to deal with this, that makes some of the choices and decisions easier -- at least it should.
DR. HARDING: One other thing and then I'll stop and let Harvey have one. It was several times mentioned the coordinated release or informed consent for release of information. Do you things that your consumers sign is informed? Do you feel that they understand what they are signing when they sign your informed release statements?
MR. LARSON: I'll take a stab at that one. We have been concerned about what our informed consent statement has been in the past, and have recently taken steps to change that. As we have developed our integrated system, we are thinking in terms of an integrated system. We're thinking that the same consent that they signed when they are on the plan, ought to be the same consent that they sign when they go into the physician's office or they are admitted to the hospital.
So we have recently taken steps to change so that every place they sign within our delivery, it's the same thing, so that as they go through the system, they become more informed. We have made it more specific that the purpose of the information or the information will be shared within the integrated delivery system. That it won't just be used by the health plan, and then somebody else will have to request the information. We share the information within the entity.
We think that by using a consistent approach with our members, they will become more informed, but they may not be informed. The same issue can be raised anytime you sign any kind of legal document that really is your consent for anything; does anybody really take time to read through it? Probably not.
DR. HARDING: I'm not being critical. I'm just wondering how we can educate patients to understand what they are really signing; that's kind of the complexity.
MS. FYFFE: Let's clarify something here. I think that there are generally two classifications of signatures or consent. One has to do with signing benefits or the acquisition of further information about a person's medical record for payment purposes. Then there is the consent for treatment.
Those are two different sets of signatures. When I hear the term "informed consent" I think of that more in of a clinical way in terms of treatment, rather than the administrative process for payment. I just wanted to clarify that point.
MR. KOWALSKI: I think regarding the consent, I think over the years more and more people are familiar with informed consent and all the problems that have gone around all the paperwork, and you have to sign. Basically, a lot of nurses will say, you're saying it's okay to do these specific tests and do x-rays and to treat.
I think the other thing that might happen is like myself as an employee of General Motors, I go on sick leave and General Motors outsources our health care to Metropolitan. I get SNA papers, and that's all I know. There are seven paragraphs of all the stuff. It says if you want to go on sick leave, you've got to say it's okay for them to do whatever they want with your medical records when I go in the hospital or whatever I do.
I'm saying it's okay, and I have to trust that Metropolitan is going to keep those records in a safe, confidential way. I get this big form and I sign it in saying, hey, it's okay. In whatever they do and how they use the records, I can only hope that it's done in a confidential fashion, because I believe most average people, and I think even most educated people -- nobody sits down and reads all that stuff.
Basically, I think as long as you've got a good feeling, and you know when you signed it that you are trusting somebody that they are going to do the right thing for you. It's the same thing when somebody says we do things for them, and I say, now these records aren't going to be released until you say it's okay. So a copy of their records aren't going to go anywhere until they say it's okay to give them to somebody.
I think as long as people can feel that that trust is there, they can walk away confident, but when they feel that their records are going to go to a supervisor or a plant manager or to anybody that wants them, that's a scary thing for all of us. It anybody that wants them can get them, it's pretty sad.
MR. GELLMAN: We've been joined this morning by Dr. Don Detmer, who is chairman of the full Committee on Vital and Health Statistics, and we are grateful for his participation. I recognize him; he has a question.
DR. DETMER: Thank you. I have found the testimony very useful. I have another question that relates to some of what you have just been talking about. Some of the bills in the past that have been considered in Congress have talked about the issue of data being used only for the purposes for which it was obtained. In other words, if you ask for the data, you can only use it for those purposes under which you obtain it.
I'm just curious about your sense of the practicality of that, and how you respond to that. It's often also a piece of the legislation. Mr. Gellman was talking about the minimum data needed as one dimension of this; this is another sort of thing, constraints for which you requested it being the limits.
MR. LARSON: I guess I would be very concerned about those limitations. We have many expectations -- our members who seek care from us have many expectations from us. They have an expectation that we'll pay bills correctly, that we will pay claims correctly; that we will insure that their provider is of appropriate quality through credentialing purposes; that their premiums won't be raised; that we'll be cognizant of the outcomes of their care.
So when we are provided information for claims payment purposes, and then we seek to take that information and recategorize it and use it for utilization purposes, for outcome studies, for holding the cost of the premiums down, I think we are acting on behalf of the member or the patient, and that's their expectation.
If we fail to use that information for those purposes, then I don't think we have met their expectations.
DR. DETMER: You could state that as purposes that you intend to use the data for at the time that you in fact ask for their release on it.
MR. LARSON: Right. So that's why when we have a time of enrollment on our plan, we have a statement that they sign that says that we have access to their information for the following purposes, and we list out quality improvement, so we are basically saying that any information that we obtain about you as an individual in your health care will be used for the following purposes, and it is implied I guess, for your benefit.
MR. GELLMAN: If I could just add a comment on this. I mean you are drawing a parallel between this is and the minimum amount of information necessary.
DR. DETMER: No.
MR. GELLMAN: It is, it's the same issue in a lot of ways. The question is, who gets to define the purpose? If I am the person who is getting the information, collecting the information, whatever, I can simply define my purposes as broadly as I want, for any profitable enterprise, and all the sudden the purpose test doesn't necessarily provide any real protection. This is not a trivial privacy problem in a lot of contexts, and it's a problem here.
DR. SCHWARTZ: Somewhat related, but more specific, Mr. Larson, I believe one of the reasons you mentioned that Intermountain uses computer-based patient records is to determine whether or not a patient might have received care according to a guideline like for asthma or diabetes. Could you just briefly discuss how that information is accessed, and how it is disclosed, and how it is used?
MR. LARSON: Thank you. I was waiting for that opportunity. We have talked quite a bit this morning about the problems with obtaining medical information, and the disasters that can happen if information is used inappropriately. I would like to focus on some of the wonderful things that can be done with this data, and the positive side of having access to medical information.
We have developed many initiatives within IHC that we call care process models or care practice guidelines. Some people call them clinical roadmaps. One of those groups that I sit on is an asthma care process model. Within that, we have taken the national guidelines that are well publicized for asthma, and applied those to our plan membership.
We have had a number of educational efforts with our physicians and with our patients, our members to alert them to the proper way that asthma should be cared for. The main purpose of the guidelines or the main backbone of the guidelines is the use of inhaled steroids.
Asthma is an inflammatory condition, and if the inflammation is controlled, then you can control the disease. So it is thought that inhaled steroids are the best way to do that.
So we have profiled our patients in the committee. The committee doesn't get the individual names, they get the profiles that are encrypted, and they review these profiles, looking at emergency room utilization, hospital utilization and a profile of the drugs that the patient is currently using.
They look for the right profile. If the patient doesn't have the right profile and seems to be at risk, then we generate reports that go back to that patient's primary care physician showing to them the profile of the patient, and asking for them to evaluate that patient and perhaps intervene to change the standard of care.
In that case, the physician is receiving information back from the plan for care that they didn't necessarily administer, because that member could be seeing several different physicians. Essentially what we're giving them is a whole profile of the episode care this patient is receiving, and providing them more clinical information than perhaps they had in the past.
We have had some wonderful results. We've had letters back from physicians stating -- in fact, we did a survey of half the doctors that we sent the letters back to, asking them their impressions of this program. By a wide majority, the physicians were very supportive of the programs. Some of them felt that we didn't have all the information we needed, but were appreciative of the effort.
Some physicians wrote back and told us the patients who were thankful for the information that came forward, and never dreamed they would have an insurance company who would think that much of them to be able to provide that information and be looking out for their well being. I think that is the positive side of having this information available.
MR. FANNING: Can I ask a question? You say that your committee, when it is reviewing the patient records for this purpose, does not have the patient's name.
MR. LARSON: The health plan has that information.
MR. FANNING: But your committee?
MR. LARSON: The committee is made up of physicians from the plan and staff support, and we just felt there was no need for each individual patient's name to be there; there was no purpose in the committee. They were looking at the profile to judge whether they were receiving appropriate care or not. There was no need to have patient names attached to that information.
MR. FANNING: Has there been any instance where there has been some inefficiency or mistake as a result of not having the names? A mix-up when you got back to whoever did have the names, a mix-up as to what patient your recommendations applied to? Have you had any experiences with that?
MR. LARSON: No. I can if you had a tracking that was more of a manual encryption system versus an automated type of a system, that you could make some mistakes. You could end up sending a profile to a physician that was incorrect. That could have some pretty serious problems associated with in. In general, we haven't had that though. It could happen, it just depends on your record system.
MR. GELLMAN: I think that is a very interesting example, and a very helpful one, where it fuzzes the line, not in a negative way. It just makes drafting legislation much more difficult between what is actually providing care and what is paying for it, because you have got activities going on sort of in the back office that ultimately affect the way care is provided, at least providing information back to the physician, in a very positive way. It just makes line drawing a little harder.
Let me go back to some questions about third party payment. As far as I'm aware, patients who are asked to sign consent forms for disclosure -- I'm not talking here about treatment. I think the distinction you made is a very important one; the distinction between informed consent for treatment, and informed consent for disclosure.
The forms typically say any and all information. Is that case? Is that your experience? Is that broader than is necessary for the processing of a particular claim?
MS. FYFFE: Generally, I believe that is true.
MR. GELLMAN: It's true that the statements typically say any and all?
MS. FYFFE: Yes, and in general the statements are signed yearly by the insured. This is to help the administrative burden on the claimant or the person who has the insurance, so that you don't have to go back and get another signature from them every time they submit a claim. That is common practice in the industry, yes.
MR. GELLMAN: Is it the case -- I had one example come my way of somebody who basically wanted to object to some of these forms, and was told by the insurance plan it doesn't matter whether you sign the form or not, the master contract of insurance gives us a right of excess to all your records anyway. If you don't sign the form, we're just going to cancel your policy.
MS. FYFFE: I have never heard of that.
MR. GELLMAN: I know for example some automobile policies -- and they do contain health coverage at times, depending on what kind of options you have selected -- may have a clause in there giving the auto insurance company the right of access to records without the signature on a particular claim form or not.
MS. FYFFE: Automobile medical is a property and causality type of product line, and I'm not very familiar with those at all.
MR. LARSON: On the other hand, looking at it from an integrated delivery system, if we are to act and provide care and provide services within our organization, the ability to share the information within our own entity, not release it to third parties, but to share information within our entity and our contract to providers is the basis of how we deliver care.
Intermountain is creating databases and information systems that creates a patient record at the central level that would be accessible whether you received care from Dr. X, or for access purposes you go to Dr. Y six blocks away, that both physicians can have access to the same information, and therefore the quality of care provided by both of those physicians is of equal value, based upon the information they received, prior history.
We think that is acting in the best needs of the patient. To have that removed puts handcuffs on us to be able to say that we're acting on behalf of the patient, and we could make mistakes, and a lot of unnecessary care could be provided, or necessary care could be not provided.
MR. GELLMAN: A patient comes into a physician's office and is handed a consent form, and makes a change on it; says only good for six months, or can't disclose it to Dr. Smith, or something like that. What happens? Does anyone pay attention to that? Is that binding on anybody? Does anyone notice? What happens if I sign a consent for Mickey Mouse? Does anyone know?
MR. LARSON: Probably not. One of the big problems we have with consents even today at the time of enrollment is a lot of different employer groups are wanting that process to be done electronically. When you have an electronic enrollment, over the telephone or whatever, how do you sign a consent? That's a big problem.
It will become more and more of a problem, because I think electronic enrollment is the wave of the future. So really what we are entering into then is an environment where there will be no signatures obtained, other than you can push a button on the phone and consent by pushing 1. Then how do you record that, and how do you document that for the future?
The other side is there are a lot of large employer groups who require that their enrollment form be used, not the plan's enrollment form. Therefore, we occasionally don't have the opportunity to be certain that our statement, or what we would want on that consent is included on that enrollment form, because they have one enrollment form that they send out through multiple states, and they won't allow us to have a different enrollment.
MR. GELLMAN: When I go to a physician, I am presented with a consent form and I sign it. Does that go back to the insurance company or is that just maintained in a physician's office?
MR. LARSON: Physician's office.
MS. FYFFE: Yes, physician's office.
MR. GELLMAN: So if there was a restriction on it, you wouldn't even know?
MS. FYFFE: Correct.
MR. LARSON: Correct.
MR. GELLMAN: I want to talk a little bit more about the informed consent issue, which we started to get into. It is my view that informed consent for disclosure is neither informed, nor consensual, because of all the problems that we have talked about here.
The Condit bill, H.R. 52, basically proposes to do away with informed consent for disclosures in connection with treatment and payment, and basically says informed consent, if you will, is not required, it is the default. It is assumed that all patients -- the statute creates authorizations for all disclosures necessary for treatment and payment without a specific signature or approval from a patient.
There is a procedure if patients have problems, and for example say, I don't want my information shown to Dr. Smith, because he is my brother-in-law. Or if they say, I want to pay for something out of my pocket, don't give it to my insurance company, there is a procedure whereby patients can do that.
The notion is that you don't need to collect a signature from a patient for disclosures. There is a set of statutory rules that say here's how information can and can't be used, and it is not contingent on that signature from a patient, when the patient doesn't really know what they are signing.
Does that sound attractive to anybody? Do you like that idea? Does that sound better or worse than the current system? Any reactions at all?
MS. FYFFE: On first glance it seems attractive. The question that pops up in my mind is will that supersede contrary state laws? That's a very significant issue for insurance companies.
MR. GELLMAN: A very complicated and different issue, a fair qualification.
MR. LARSON: As long as there were some pretty specific reasons for the purposes you could use the data for, and on there you just have a blanket statement. I think that the law should also include consequences if you use it inappropriately, and there should be more oversight as to making sure that policies, and they have safeguards in place.
MR. GELLMAN: Well, there are consequences for misuse all over the legislation. That's the last thing you have to ask for.
MR. LARSON: But is it ever enforced? Are they ever applied? I mean if you had a few examples of when it was applied when people used the information inappropriately, then perhaps you would have more people who were safeguarding the records.
MR. GELLMAN: Mr. Kowalski, do you have any views on this?
MR. KOWALSKI: I would venture to say that historically there have been a lot of travesties with paper records over the years of health care in this country, and with us moving into the technology area, I think that leaves more and more opportunity for that to happen. So I think it's somehow important to make sure that the patient is educated.
You can say that the signature gives things away and whether it's necessary or not, but if the patient's who say is lost without a signature, I think you can put down the laws and all the penalties of crimes, but the sense of the problems that we have in this country taking care of crimes and criminal problems, this stuff could get tied up for years, and I think the patients rights to confidentiality just gets watered down even further.
So I really think there needs to be some real concern of making sure that the patient's rights to confidentiality are really securely handled. Because of the history with paper, I think the technology and computers frightens the heck out of me.
MR. GELLMAN: Right. One of the other parts of all of the proposals is a requirement that patients be given a notice of information practices, so that they will have information. Whether that will actually be effective for patients in terms of if I give you a booklet that says these are your rights and it's 12 pages long, or 50 pages long or whatever, how effective that will be remains to be seen, but there limits in terms of what you can accomplish.
Anyway, that's one way of addressing that, at least so that patients who are specifically concerned have a way of finding out what their rights are.
MR. KOWALSKI: I got your summary of the Condit/Bennett bills. I guess I would like to say as long as the patient, the employee, the client doesn't get lost having some say in this whole thing, I think that is the most important issue.
That they understand that they still have that trust that their records are going to be their records, and not just given away.
MR. GELLMAN: Fair enough.
Let me ask a more technical question about an authorization form for disclosure. Suppose that there is a statutory limit placed on how long authorizations are good for of say a year. Does that create problems in the insurance processing business? Would six months do? Is a year long enough? For what period of time might you have to go back continually getting information about a particular claim?
MS. FYFFE: Currently, one year is standard.
MR. LARSON: We have a number of employer groups and a number of efforts now where we don't go through a new enrollment period. We're entering into policies of multi-year contracts. We don't go through a re-enrollment period. So we don't go through a process where we can have them resign. So there are multi-employer groups where that would be a definite problem, and an additional burden and cost placed on the plan and the employer group.
If that was the case, then we wouldn't be able to do that. We would have to go through an open enrollment period or a consent period every year, which would add additional costs to the plan.
MR. GELLMAN: Wouldn't you be able to get consents at the point when treatment is provided? Wouldn't there be a form signed at that point that would authorize the disclosure?
MR. LARSON: We are both a network plan and a group model plan; the group model pretty much being the employed physicians. So when we have someone seeking care from point of service benefits, or from a contracted provider, then we are not quite sure what they are signing in physician's office, because they are a contracted entity, and we haven't received any permission then, if they are using point of service benefits, to obtain information when they went out of our plan.
MR. GELLMAN: So this goes back in part to the question I asked before. You don't see the authorizations. In any event, you don't know what is there?
MR. LARSON: We don't, not at the point of service.
MR. GELLMAN: So getting too specific on the authorization end, and having too many specific requirements there creates problems, and perhaps additional administrative costs for you.
MR. LARSON: And could bring a lot of our quality improvement efforts to a grinding halt, because they would be too costly and too onerous. We would probably be able to do maybe a fourth of the types of studies we are currently doing if we had to have that kind of a policy in place.
MR. GELLMAN: What would happen if you asked patients for their consent to have their records used for those kind of activities? What do you think the consequences would be?
MR. LARSON: Very few quality improvement efforts being taken on. The ones that we would do would be costly. We would have to cut the number down. We would still do them, but the number and the impact, I think we would we set back our outcomes improvement initiatives back significantly.
MR. GELLMAN: Do you think patients would understand what you are doing when asked for consent, and would agree or not agree on a reasonable basis?
MR. LARSON: I think some of them would say I don't want you to use it at all, ever. Some of the would readily assign; other would be in the middle ground, where they would question it, and maybe seek additional information before signing. I think you would change significantly the quality improvement efforts of delivery systems in the future by that act.
MR. GELLMAN: Okay.
DR. HARDING: That's a very good point, Mr. Larson. I was wondering, how do we deal with that? You are bringing up the pathways and so forth, that are excellent. Improving patient care is a very positive thing that you are doing with asthma, and I'm sure you have them for other things.
The issue gets down to the patient having confidence that you are looking at that data for their benefit, as opposed to, to do something like screen them out of the program if they are a non-compliant diabetic who is going to be a real expensive person in the next 20 years.
If they volunteer, so to speak, and they get on the wrong side of things, maybe they will get bounced out. That's the kind of fear evidently that people say I don't want my chart being looked at, because maybe there will be a negative outcome from that.
MR. LARSON: Even within our own system we have a number of statements or policies that have been written that state that we can't provide this information to the health plan, because if you are employed by a health plan, you are an inherently bad person and that you have ulterior motives, and that you will use this information for the wrong purposes.
What I'm trying to get our organization to look at is to say every employee within our organization has signed the same employee confidentiality agreement. They are all held to the same standard. Don't look at us with a jaundiced eye that you might have developed based upon your relationship with other entities. We're working together here, and we safeguard these records just as well as the other portions of the organization.
I can see the inherent reasoning behind that, of saying that if you take that individual information and use it for underwriting purposes, and it wasn't intended for underwriting purposes when it was given, then that's wrong. I clearly agree with that.
We don't use our information for that purpose, and so I don't have any problem with our use of the data, though I can see the fervor that could create within the industry, because it probably has been used by some people in the past for those purposes.
DR. HARDING: How do you educate people that way, to let them know, so that they do feel comfortable? That is my question. I guess you can just tell them over and over again that we won't use that in any way, but in your best interest.
MR. LARSON: Well, one of the member plans that I'm associated with, Harvard Community Health Plan, has taken a very substantial effort to try to influence their patients. We have taken a look at it, and haven't taken steps that way.
They have actually produced a video that they send out and use as an educational purpose, as a way of trying to improve the perception of the patients around the efforts that they go through to try to protect their records, and try to gain that confidence of the patients in terms of trusting them with their information. I think there could be efforts taken that way.
DR. SCHWARTZ: A more parochial question, do any of your organizations provide confidentiality and privacy education training to your employees?
MR. LARSON: We have taken substantial efforts. We had a confidentiality policy in Intermountain Health Care for as long as the organization existed, 28 years or more. Within the last 2 years, because we have an electronic environment now, where information is much more readily available, we have taken significant steps to change and actually re-send out to every employee within Intermountain Health Care, a new agreement for the consequences, as well as the definition of what we consider to be information, whether it is in written or electronic format.
Along with that went a training video and in-service material so that each and every employee, as they signed that, viewed the video and the importance of the policy as it was re-implemented.
MS. FYFFE: Yes, our member companies for example, would provide training and education to employees, not only in the claims adjudication area, but in the special investigation units for anti-fraud. Those folks have to sign the same type of confidentiality statement, because they have access to confidential information about patients for purposes of investigation.
MR. KOWALSKI: I will say this, being an employee of General Motors, they haven't specifically provided any education to the basic employee per se, other than the medical people who work in the field. One of our co-partners of the business, United Auto Workers continually provides all kinds of information in many areas of health care to their employees.
They have weekly/monthly bulletins, and they target different areas of health care and what they need to be aware of in their information packets to their members.
MS. WARD: Do you think the consequences, the penalties are strong enough in existing states? Do you think that increasing the penalties is a benefit for misuse?
MR. LARSON: I'm not sure that the penalties need to be increased. As I mentioned before, I think that the current penalties that are there need to be enforced.
We have an electronic information system within our hospitals that provides -- essentially the inpatient record is all electronic. Within that system we often have VIPs or dignitaries who are admitted to the hospital. We have an audit process where you can turn on the audit process and find out who accessed that electronic record within the hospital.
They will turn that on and audit, and find that there are people who access that, and then the policy is implemented as stated, and action has been taken. It only takes once or twice for that to happen, for the word to get around, don't be caught where you are not supposed to be, because they are serious about this.
So I think that's where we are lax.
MS. WARD: Do you have any suggestions in terms of the idea of putting some of that oversight and recommendations about those kinds of security policies, how we could increase the oversight or enforcement at a regulation or statute level?
MR. LARSON: Well, I think you could do it voluntarily through accreditation such as NCQA and the like. They do have confidentiality as part of their accreditation process. Their standards could perhaps be eased up a little bit in terms of walking around when they are there and looking for breaches. Are medical records laying around? Could they walk up and open a file and pull something out?
They could take more of an on-site inspection role that way, to try to determine whether confidentiality policies are being followed. Outside of the voluntary accreditation, it would be difficult other than you could solicit patient or member hotlines or feedback for when they feel like their confidentiality has been taken advantage of, and then use those as a way to investigate retrospectively.
MS. WARD: What would you think if state licensing agencies that are existing now had more oversight into the confidentiality and health information?
MR. LARSON: I'm not sure I want more state oversight or regulation. I don't know. I'm not exactly sure who the right body is to regulate this. Obviously if it's a state law, they are already supposed to be enforcing that. If this becomes a federal law, then who enforces the federal law?
MR. GELLMAN: Well, let me just offer a thought on that. Those are fair comments. Under the legislation that has been proposed -- and there are different bills, so there is total commonality -- there are much more serious criminal penalties for willful misuses of information. One of the purposes of that is that if you have minor criminal penalties, it's not so much the deterrent factor, but if you don't have serious penalties, the prosecutors won't take cases.
If you have a misdemeanor, you can't get a federal prosecutor to prosecutor. That's not really pushing things in the direction of criminal penalties, that is very much a last resort, other methods in the legislation for giving people who have been harmed, the right to sue. There also are some discussions in some of the bills of administrative remedies, perhaps at the secretary level, because there is plenty of oversight from the federal level on a lot of these.
MS. FYFFE: Perhaps you can clarify. The administrative simplification provisions of PL104-191 Kassebaum-Kennedy bill has criminal penalties in it for misuse of individually identifiable health information that are quite stiff, particularly if the abuser uses the information for financial gain, like a marketer for example.
MR. GELLMAN: The problem with that is that if you read the bill, it's not really clear what that applies to, or what standards exist. So I suspect that those specific criminal penalties, if there is legislation, are likely to be revisited and put in a different framework, but I think my reading of this right now is that you have a criminal penalty that you could not prosecute anyone under, because there are no standards. It's the same idea.
I think this is a good point at which we could take a break, and we will reconvene in 15 minutes.
[Brief recess.]
MR. GELLMAN: If we could start up again. I would like to get back to the issue of use of claims information by insurers. We have already had some discussion of how claims information is used within the insurer, within the company. I'm wondering if there are any other significant uses of information?
I want to make it clear that in general we are only talking about identifiable information. If the information isn't identifiable, it isn't covered under most bills, because there is not a privacy interest on non-identifiable information.
So the question is, are there any other internal uses of health claims information made within the insurance company that we haven't discussed already today?
Kathleen?
MS. FYFFE: Well, as I mentioned I think before the break, one of the other uses has to do with anti-fraud. Again, insurance companies have a financial obligation to the people who purchase the insurance to be certain that they are paying on bona fide claims. To the extent that there would be a suspicious claim or a possible fraud, then people other than claims adjudicators would have access to that information. That is consistent with the business mission of the insurance company.
MR. GELLMAN: You have separate, identifiable anti-fraud units within companies?
MS. FYFFE: Yes, some of the companies do have separate units. They are called special investigation or special investigatory units. The people that would staff those units would be investigators, clinical people such as nurses, people with a lot of claims experience. You know again, they work with different levels of law enforcement, whether it be local, state and FBI in order to try to prosecute cases.
MR. GELLMAN: Will the fraud investigators have access to the full range of health claims normally, or does someone have to refer a case to the fraud investigators? I'm still talking within the company.
MS. FYFFE: Sure. The normal procedure is for suspicious cases to be referred to the special investigation unit. They would then have access for the purpose of that investigation.
MR. GELLMAN: If you have a specific claim that is clearly fraudulent -- you've got a claim for a second appendectomy on the same patient, that one's easy. When you have a case of fraud, which I suspect is more common, where you have got a pattern of activity, each particular case is not necessarily unusual, but the pattern of this doctor prescribing the exact same treatment for a whole series of patients beyond the statistical expectation, how would that come to the attention of fraud investigators?
MS. FYFFE: Again, that would depend on the sophistication of their automated systems. Our companies are large, medium and small insurance companies. Some of them have developed their own custom software that is integrated with their claim system in order to detect suspicious patterns. Others have purchased off-the-shelf software.
It would depend upon how they have their review procedures set up. I would imagine that in many cases they would be looking at records that would not necessarily identify who the patient is. It's not necessary to know who the patient is in order to look at suspicious claim activity for patterns, as you have pointed out.
MR. GELLMAN: So where you have computerized systems, and you've got software doing routine reviews, you don't actually have people looking at records, at least at the initial stages at all? It's just something that is totally automated.
MS. FYFFE: Well, it depends on the size of the insurance company and the sophistication of their systems. You could have some that are highly automated at the front end. You could have some that are not that highly automated, and you would have a human actually send a stack of cases to the anti-fraud unit.
MR. GELLMAN: Mr. Larson, do you have any thoughts on this?
MR. LARSON: We use the claims data for a number of purposes, but one of the things that comes to mind with the discussion that has been happening here is that of profiling. We usually target specific things that we want to profile, providers or hospitals or others. Within our delivery system, the health plans are the richest source of outpatient data; information about care provided in the outpatient setting, other than that provided in an outpatient setting at the hospital, so basically, physician care.
The billing information systems will allow us to track that data better, but right now claims data is most useful for that purpose. So we get lots of requests from within our delivery system for use of that claims data for other purposes. Usually it is profiling.
An example of profiling is emergency room utilization. Profiling physicians and the patients that are signed up for them as primary care physicians in regards to the amount of emergency room services being used by a physician.
When you send a report out to a physician and you say to them, you have 120 emergency room visits per 1,000 members that are signed up on your plan, whereas your peers have 60, what seems to be the cause? Why would you say that that occurred?
Well, they write back to us and say, you tell me. You're the one with all the data. Tell me the names of all the patients that went to the emergency room, and I'll investigate and find out why I have these rates, because I don't know.
The physicians don't know that information, and so they are asking for that information back. So generally, what we do is send them a list of the patients who went to the emergency room. We're debating on whether we should include the diagnosis with that. Do we send them a record that XYZ person when to the emergency room for complications of drug abuse or a suicide attempt, or for whatever reason they went there for.
Clinically it helps that physician meet the needs of those patients if their needs aren't being met, and they are seeking care through the emergency room. Often physicians will reach out to those patients and provide alternative mechanisms for their needs to be met other than going to the emergency room.
So that is an alternative way of using the claims data for utilization. You could classify that as utilization or quality improvement.
MR. GELLMAN: I could foresee a circumstance in which a patient went to an emergency room in order to avoid making a disclosure to his physician.
MR. LARSON: Absolutely.
MR. GELLMAN: I have sort of been focusing on internal uses. Now what about disclosures outside the company? Clearly the one case that you talked about, Kathleen, is where you have got a real case of fraud and you want to turn it over to the prosecutors or the inspector general, or whoever does that. So that is an area where disclosures are made outside the company.
What other kinds of disclosures might be made outside the company?
MR. LARSON: We define within the company, an entity, which I think is defined in a lot of the legislation, meaning if you have a contracted relationship with a third party, they are considered part of the entity, and you can release information to that body. So I'm defining outside the organization as somebody who is not contracted.
We have a number of researchers who contact Intermountain Health Care to gain access to our data. We have some very strict policies on that information. A lot of that information needs to go through or will need to go through -- we are establishing an IRB-type of a process outside the inpatient study, trying to determine what specific things.
We have laid this out in a policy we are developing right now. Specifically what information is able to be given to an outside body, and what approvals are necessary in order to do that? We don't give out any patient identifiable information as policy.
There are a few exceptions to that, and when there is an exception to that, then there are very strict circumstances of when they can use the information and for what purposes. Then they must return the data to us, and destroy any information that they kept, so there is very strict control over when and where they can use that information.
MR. GELLMAN: Do you have a company IRB that you use to review these requests?
MR. LARSON: We have a hospital IRB, and now the question -- as I say, this is a very volatile issue within IHC right now, and we are in the process of establishing a policy that specifically states who can have access to the data, and for what purposes, and if you intent to use it for certain reasons. What needs to go through an IRB.
We have a specific list -- I brought it with me if you are interested -- about from a systems standpoint, what information needs to go to an IRB.
MR. GELLMAN: Kathleen, what do you do about research?
MS. FYFFE: I'm not as close to that issue as some of my colleagues here. I would have to check on that for you in terms of specific procedures.
MR. GELLMAN: Are there other external disclosures that are routinely made? For example, do insurers disclose information to public health authorities?
MR. LARSON: Yes, in the state of Utah there is a data policy commission that requires all health plans to submit data to the state. We do that, however, I think we submit the data -- I'm not positive on this -- encrypted, without patient identifiers.
MR. GELLMAN: Now when you say encrypted, without patient identifiers, is there a code on there that links back to the patient?
MR. LARSON: That we can link back, but they can't.
MS. FYFFE: My understanding of that would be that insurers would have to comply with the various state laws, however, I think that in many cases it would make more sense to request information from the originating source, which is the provider. In the case where we have managed care plans who are in fact providers, and might have to comply with the request for an infectious disease or venereal disease report, then that would in fact be in compliance with the public health reporting laws of a particular state.
MR. GELLMAN: Is it often that your companies receive subpoenas for patient records from various sources, private litigants, government agencies, what have you?
MR. LARSON: It's not often, but we do.
MR. GELLMAN: Can you characterize the nature of the subpoenas, why you get them?
MR. LARSON: I'm not the entity within the health plan who receives those subpoenas, so in a way I would be speculating if I state exactly what the reasons would be or the number or the types. So I guess I'm not exactly sure all the reasons. I do know we receive them.
Another entity that we release information to outside of our organization are accreditation bodies such as NCQA or others. They come in, and part of the NCQA accreditation process is actual review of medical records of patients. NCQA has a process whereby they verify that their policy of how we pull those records, they verify. So we have to actually copy the patient registration form in each one of the physicians' offices, and highlight the members that we received the information from to verify that we pulled information according to their policy.
So they actually have the name of the patient and the whole medical record that they actually review as part of their accreditation process.
MS. FYFFE: In the area of fraud investigations, there could be subpoenas. Let me point out that under the Kassebaum-Kennedy bill in the anti-fraud provisions there is an administrative requirement for subpoenas of health records from health plans.
There are also situations where a provider's attorney, might for some reason, subpoena records because he claims defamation of character if we suspect him of fraudulent activity. So it really occurs on both sides of the fence.
MR. GELLMAN: I assume that if you get requests for information in fraud investigations from say the IG at HHS or someone at the state level, that those are responded to on a case by case basis. Where I'm headed is you don't have outside fraud investigators at the state or federal level directly plugged into your computer. I assume that's not the norm?
MS. FYFFE: No.
MR. LARSON: No.
MR. FANNING: Can I ask Kathleen, with respect to law enforcement inquiries unrelated to health care fraud, does it ever occur that law enforcement agencies come to companies and want to know, do you have this person on your rolls, and what's the evidence of their last treatment? Things of that type.
MS. FYFFE: I'm not certain about that. I imagine something like that could happen if there was some sort of violent act or something. Again, I think we are getting more into the area where insurers become providers, rather than purely indemnity insurers.
MR. SCANLON: In the instance where an employer is also self-insuring, and in fact may process their own claims, or contract the claims processing out, are you familiar with how that actually operates? For the claims processing operation, is there some sort of a separation from human resources or other parts of the company? Or if a third party administrator is carrying this out by contract, what is the flow of the identifiable claims information back into the employer?
MS. FYFFE: I know that in the case of an administrative services only contract with an employer, that there are administrative procedures established to keep the information confidential. In fact, as part of the contract between the employer and the insurer, again, for the ASO arrangement, there would be a regular certification by an outside auditor to be certain that the procedures were tight.
Now in the case of the actual employer being the insurance company itself, which I think you are talking about self-funded, I'm not as familiar with that.
MR. LARSON: At Intermountain I think we do everything. We also act as a third party administrator and so some self-funded business ourselves. We treat those employer groups the same way we treat a fully insured employer. I'm not quite sure that we're representative of the third party administration industry in general, because we have the group health insurance side.
So I'm sure that we are representative, but we do treat them the same. Our policies are the same. We really haven't had much of a problem at all in terms of employers trying to pull rank and say that this really is our data, because it's our plan, not your plan. They have been pretty respectful of that.
MR. FANNING: Can I just follow-up on that? In the long run, what does the contract provide? If they really wanted it, could they demand it of you?
MR. LARSON: I think they could, and they have been pretty respectful of our policies, but I think if push came to shove, that it is really their data. It's their plan. Now as an employer group, it's my feeling that they ought to have safeguards within their own organization as to who should have access to the data and for what purposes. They should have equal confidentiality policies that we do within their own organization. We can't require them to do that.
MR. GELLMAN: By the way, that's one of the things that comprehensive federal legislation will do, because employers become health information trustees under the proposed legislation, just like providers and insurers.
MR. LARSON: A definite benefit.
DR. HARDING: Did Harvey want to follow-up on that?
DR. SCHWARTZ: Somewhat related, when IHC releases its data, whether it is to researchers or an accreditation type of body or whatever, is there any requirement with respect to their procedures and how they handle the data? Do you have any review process that IHC performs regarding that?
MR. LARSON: Yes, we make them sign conditions of release of the data. It's very specific in there what they can use the data for, and their requirements for returning of the data. If they are going to report the data to another party, they have to check with us first. There are a lot of parameters put in there that they have to sign prior to our releasing the data.
MR. GELLMAN: Before we go to you, let me keep going on this thread. Mr. Kowalski, I wonder if you have any perceptions on this issue of the exchange of information back and forth between insurers and employers. In a way, you sort of deal with this from inside the company, even though you are a provider.
MR. KOWALSKI: It's interesting. General Motors is self-insured workman's compensation, and we used to be our own employees, but since we are streamlining, it went to Sedgwick-James(?) today, February 3rd. It is outsourced. They are going to be processing our workman's compensation claims, which I'm sure our litigation is going to go up substantially.
In the process, my understanding of the information that we were given with the changeover taking place today, our employees still had to send over a request for information regarding a workman's compensation claim, and we would photocopy a copy of the specific incident that was requested, and they would get it back.
Unless the same procedure, Sedgwick-James is going to have to fill out a form requesting specific information regarding the workman's compensation claim that the employee has put in for, and we will give them whatever information the nurse has written in the records regarding that, just whatever they would request for.
If I could regress for one second, just before we took the break you talked about criminal penalties, and I guess I would agree with David if that could be enforced. When I go way back and I look at OSHA, when one company gets hit for something, especially if it's a nice hit, it becomes the standard that you can use that says you'll either get hit with this fine or whatever problem.
Under the Bennett bill the criminal sanction -- and it would be important to us as occupational health nurses and physicians in this area, that anybody who coerced or attempted to coerce to get health information would have those criminal sanctions. I think that would help us tremendously.
DR. HARDING: A little bit of a change of subject; the issue of redisclosure. If you have a database, have you all ever been approached by commercial interests for that information? For instance your example of trying to do a better job with asthmatic patients in your plan, and how effect that has been. Have you ever had the National Inhaler Association product come to you and say if you give us that list of people with asthma in your plan, we'll give you X amount of dollars and then we can send them a lot of educational information and help them in their decisions in what type of inhalers?
Using that as an example, do you ever get approached that way by commercial interests wanting access to your database?
MR. LARSON: Frequently, and mostly in terms of the pharmaceutical industry. The way that we do approach it when we work with them is a partnership. They would provide us their programs, and we would do all the mailings and all the patient contact.
If we were to give them data, it would be blinded or encrypted, as I stated before, so that they can run tests on the data and do some work with the data, but they have no idea who the patients are. We require all communication to come directly from the plan.
DR. HARDING: The thing that I hear is that they will get a flyer on a certain medication after being diagnosed? So that doesn't come from the company, that comes from the plan, who has an agreement with the company to what?
MR. LARSON: They help fund our project. For example, our asthma project that I talked about has pharmaceutical company backing. They don't control exactly what we do. They are aware of what we are doing, but they don't control it and they don't have a final say. We have a final say in what the end communication is, and all letters of communication come from the plan, never from a pharmaceutical company.
DR. HARDING: Then of course the implication -- and not accusing, but just following along -- then the implication would be that that company would have an inside to the pharmacy; the types of medicines that are available? Thinking from the pharmacists' side. Do you get that kind of pressure to, to the formulary being changed to help the people who have helped you?
MR. LARSON: Sure. I mean that's just the way it is in the industry. We make our decisions based upon formulary. We try to keep those two things separate. Basically, when we enter into a working relationship with a pharmaceutical company, it is one in which we know where they are coming from, and generally they have a certain share of the market.
For example, with asthma they have a certain share of the inhaler market within our area, and they know that if we publish asthma guidelines and it says to use inhalers, they are going to get a certain percentage of the market just because inhaler use is going up. They will inherently get it versus going out and actually promoting their specific inhaler. We don't do that.
Just because we promote the use of inhalers causes their business to go up, so they are willing to work with us without actually having to promote their drug directly.
MS. GREENBERG: I want to go back to right after the break when you were mentioning about profiling patients' use of say emergency room, and then going back to the physician. You said you were looking at the issue of providing diagnosis back to that physician so that he or she could see why these patients were using the emergency room.
I wondered what process you were using to look at that? Whether you communicate with your members on issues like this, as in focus groups, just the whole process. I believe there was a stipulation in one of the bills last year where you would specifically have to release your information to another physician, and you could withhold information from other physicians. So this is obviously an issue with some patients, that they don't want a physician to have all the information about them.
MR. LARSON: We are torn between the issue of trying to improve care and maintaining confidentiality as best we can. The reason why this issue came up is we have a reports committee who was generating the new physician reports that we're going to try and send out, and lo and behold here is a prototype of a report that lists the physician, the patient, how many ER visits they had, on what dates, and what the diagnoses were.
The reason why we were discussing it is because a red flag came up in my mind and said, whoa, that's a concern. Can't we provide this data to the physician and say, this patient went to the emergency room on the following dates, but not put the diagnosis on it? If the physician wants that specific information, then they can call us directly, and we can discuss the uses of that data.
To put it out on a piece of paper that you don't know where that paper is going to go, and blindly send it to a physician office, you don't know who is going to open the mail. You don't know where it is going to go or who is going to see it. Those are the safeguards that we need to keep in mind when we just blindly produce information and send it out without second thoughts of what it could be used for.
MR. GELLMAN: I want to go back to this issue of employer access to insurance records. Maybe I can get you to talk about this a little bit, Kathleen. I have heard this a lot from people, that the insurance companies are basically forced by the employers, who are their customers for group policies, to give up identifiable patient information, and that this seems to be a real problem.
I wonder if you could talk about this from your perspective, and how common this, or what kind of problems it creates.
MS. FYFFE: I don't know too many of the specifics about this. I have heard the same tales that I think you have heard. Again, there is a contractual relationship between the insurance company and the employer group plan. It could be that as part of that contractual relationship there is information given to the employer. That is the only comment I can make in terms of what I know.
MR. GELLMAN: I'm just wondering, one of the difficulties with trying to legislate in this whole area is that the roles of the various players overlap quite a bit, so you don't simply have employers as pure funders of health insurance, but they get involved in oversight of the process and containing costs and quality of care and all that sort of thing.
So that they clearly have an interest that may require access to some kinds of information in order to carry out those functions, which benefit not only the employer, but perhaps the employee, and perhaps the health providers as well.
One of the questions here is to what extent does that process need to be fueled by the availability of identifiable patient information, as opposed to information that is not identifiable?
MS. FYFFE: Again, in this era of increasing health care costs, employers want to keep their premium costs down for health insurance or coverage for their employees. It strikes me that they could get good information from non-identifiable records about the composition of the employees that are being insured, but again, I wouldn't know on a specific case basis. It would really depend upon I think the internal personnel policies of the employer group, as well as the policies of the insurance company.
It is a challenging relationship. The contracts are renewed yearly, and there is quite a bit of competition.
MR. GELLMAN: I think that we've got a recent court case that really sets out the problem here very directly. Specter v. Doe is a Third Circuit case decided last year, probably the middle of the year, in which basically the employer was getting specific information on an identifiable patient, and the patient sued, and said you have no business.
I don't think the company took any action against the patient, who had AIDS, but the information was around, and was available to people within the company. The patient sued, and the court said basically to the patient, too bad, the employer has an interest here, and we're not prepared to say that they violated your rights in some fashion that we are going to let you recover from.
This raises an issue that really hasn't been specifically addressed I don't think in any of the bills, and that is trying to directly regulate the flow of patient identifiable information back to employers who are funding health insurance, and whether some kind of specific prohibition or specific limitation needs to be imposed.
Then you have the problem of well, what happens when we have self-funded insurance. All of the sudden the distinction doesn't make any difference any more. Any thoughts on that?
MS. FYFFE: Well, let me ask a point of clarification. Was that case you mentioned as part of an EAP program?
MR. GELLMAN: I don't believe so.
MS. FYFFE: Have there been any precedents set in the employee assistance programs? I know a few years ago there was flow of information back to employers that uncovered all sorts of --
MR. GELLMAN: I don't know the details of that. That's a whole other area of problems where I think there is even less law and precedent and rules than for anything else.
MS. FYFFE: Correct.
MR. GELLMAN: Someone suggested that the greatest danger to employees actually comes when claims are processed through the employer, wherever they are headed, whether they are headed to a self-funded plan, or to a third party insurer. That essentially that this takes patient information and runs it through the company in some fashion, and it is susceptible at that point to retransmission within the company, perhaps to supervisors, or through gossip or what have you.
One suggestion that has been made a long time ago, and never been followed up on was a proposal that would basically prohibit employers from processing health claims or require them to hire third parties. I wonder if anyone has a thought on that?
MS. FYFFE: My general understanding is that it's the exception, rather than the rule that the employer would process claims for their employees. For example, in all my years of being covered by commercial health insurance companies have never had to submit a claim to my employer. I send it to an address that is on the form, and it goes directly to the insurance company.
I do know that in certain parts of this country -- and this is more historical rather than current -- there were employers that had more of a paternal, if you will, attitude toward their employees, and they would say, as a benefit to you, we don't want you to hassle with this paperwork. You can submit the claims to our human resources or benefits office, and we will prepare all the paperwork for you and send it to the insurer.
That is really an exception, and we don't see as much of that anymore. The general procedure is that the employee submits the claim to the insurance company, or if it is an inpatient stay, the bill is sent from the provider, from the hospital or the clinic to the insurance company.
MR. LARSON: I had a comment. I'm not sure I'd go so far as prohibiting employers from paying claims, of requiring them to have separate processes in place that differentiate claims processing from the normal business operations of the company.
I have one individual who stated that at her husband's employer, they were required to submit all claims to the their supervisor, so that that supervisor could sign the form verifying that they were still currently employed before the claim went on for processing.
So they purposely didn't submit claims for payment, because they didn't want the supervisor to know about mental health counseling, and that's the impact this can have. So I think truly some things need to happen there, but let's not go too far.
MS. FYFFE: As a point of information, and more in the past, there have been arrangements between employers and insurance companies that in fact the employer will certify who is a member of the insurance company and who is not. So the records are not kept at the insurance company. It's called a self-certified plan.
You wouldn't know that you are even covering a particular individual until you get a claim. Along with the claim, it would say, yes, this person is employed. They have paid their health insurance premiums.
MR. GELLMAN: Of course there is obviously a way to set up a procedure whereby that is done on a separate piece of paper.
MS. FYFFE: Absolutely.
MR. GELLMAN: Let's keep talking about the sort of occupational medicine setting. Kathleen brought up the employee assistance plans. It seems, from what I have learned about these plans, that there is the real problem in that the plans are sometimes forced to disclose patient information back to the employer.
In your practice, you face the same kinds of pressures to do this, because that is what you have already talked about. Are employee assistance plans a separate animal from the kinds of services you perform? Are they the same thing? Are the lines fuzzy?
MR. KOWALSKI: I think, to generally make a statement on that, I am spoiled in General Motors, because our employee assistance program, and also all the things that we have in our corporation are specific. We have our own safety department. The EAP is handled -- there are special salaries employees that have specific training that work with a union counterpart. They become certified. They go to classes, and all their case files are confidential.
Then if they are sent out for treatment, they are taken care of, and those things are specifically confidential. Now other --
MR. GELLMAN: Excuse me, they are confidential by company policy?
MR. KOWALSKI: Right. Like you said, the union has that specifically addressed in contract language back in the seventies already. So in my case, it has been well founded, and everybody knows those are confidential, and nobody even challenges that issue anymore, because it's been around for quite a while.
The other occupational health nurses in the country that work for smaller companies, they are the safety person, they are the workman's compensation person, they are the EAP person. Like I said, that one specific nurse takes in a lot of responsibility, because she has all those. She constantly has those people coming for this and that information.
That's why it's such an issue with our organization, because obviously I'm spoiled in mine specifically, but a lot of smaller work sites where there are 2, 5, 7 or 1,000 employees, where that nurse is the only professional person. She might have access to a doctor at a clinic or a hospital or some other occupational health care arena, where she is the sole provider and holder of all that information.
Like I said, every year when we listen as an association to the nurses that come to our national conference, they just cry, you've got to do something about confidentiality, because they are getting killed out there. They are coerced, or their jobs are threatened. They get fired.
As a professional, when we look at ethics, doctors and nurses get it pounded in their hand way through the whole program, the medical records are sacred and confidential, don't give them out. A lot of these people won't give them out, but they lose their jobs, and they take a lot of hits for it.
That's why we are here, trying to get something to protect the employee. I think it's that trust relationship that I mentioned earlier. People need, in this country, to feel that whatever area of confidential medical records there are, that they are safe and trusted by those people.
EAP programs, there are many of them around the country and there are different kinds of people -- there are human resource people involved. There are union people involved. There are safety people involved. Some of those people don't have ethics. That's why you need legislation or regulation to some degree, because they want information for bottom line knowledge.
MR. GELLMAN: Well, I think that's a good point. One of the problems with EAP is that there is so much diversity. It is not universally recognized as a licensed professional occupation, so it is really hard to get your hands around what it is you are regulating, or trying to regulate.
MR. KOWALSKI: Oh, I understand that. We have a union gentleman that took a couple of classes and got certified, and thinks he is a practicing psychiatrist.
MR. GELLMAN: You talked before about the problem of disclosures within the workplace, and I would like to go back to that. The classic example, somebody comes in and you discover that the crane operator has got epilepsy, or has got something that is a threat to other people. How do you deal with that?
MR. KOWALSKI: If whatever information we have is a common knowledge now over the years of practice that we will keep it confidential. If we need more information, either we will pay or ask them to get information from their private physician if they have a problem that might mean specific limitations.
If they come back with whatever their diagnosis or problem is, it comes back through the medical department, we will write restrictions that that can't do any overhead crane operations, or they can't climb stairs because they have either epilepsy or whatever problem that might be a problem for the job, so we write restrictions.
Like I said historically, 20 some years at least, the foreman would run down and say, this guy can't climb the stairs, he can't drive the crane, what do you want me to have him do? He'd say, what's wrong with him? I would say, well, you don't need to know that. You just need to know that he can't drive a crane, and he can't climb up the steps.
Then they would go either the plant manager or the personnel director, and they would come down and say, hey, we have to know why this guy can't do this. We say, the medical records are confidential. You don't need to know what the problem is, you just need to know what they can do and what they can't do.
That is the trust level, that they have to look at us as professionals, saying we're not trying to mess up the company. We know you need to make a profit, but this person has got a problem, and we need to deal with it in a way that's fair for them.
MR. GELLMAN: Does AIDS present any special problems?
MR. KOWALSKI: Again, because we are a major corporation and the union is jointly involved in almost all the things that we do today, we have special sections in the court that health and safety and AIDS fell under. We had video classes, specific classes for all employees.
Everybody knows in our corporation at least, that universal precautions are in. You're not going to know who or who doesn't have it. You wear gloves because anybody could be or could not be. So nobody needs to know who has AIDS, it just a potential that there are people out there that might have HIV or full blown AIDS and their privacy is protected, whether they are working next to somebody on an assembly line; nobody really knows.
MR. GELLMAN: Let me turn to some other issues. Some of suggested that insurers be required to destroy records say six months or a year after a claim has paid. Does anyone see any problems with that?
Kathleen?
MS. FYFFE: Yes, there are state laws again, that prescribe how long records need to be maintained. We have to comply with the state laws. In addition to that, I don't think there is any statute of limitations on fraud, so I think that in general I have the mention of the seven year maintenance of records, but I think that some of our companies are prudent, and try to keep them even longer than that.
MR. GELLMAN: I wonder, if you don't have records, how do you deal with the second request for an appendectomy on the same patient. If you don't know that you paid for one before, how you would know that this was a fraudulent claim.
MS. FYFFE: Well, that's a good point.
MR. LARSON: From a non-clinical standpoint, we have entered into a lawsuit with a company who is using the letters IHC as their company name. They are in a similar business as we are in terms of underwriting insurance. Now it is in the courts to try to say well, who used the term "IHC" first.
So because they are doing underwriting and evaluation of the claims from a medical standpoint, it's my responsibility to go back and proof through the records that we have kept in our company, in what state did we first start acting and doing those services. So we are glad we have kept our records for even longer than seven years, because now unless we can prove that, we're in jeopardy of losing IHC in every state in the nation.
So for business purposes, you need to keep records, and you need to keep them for at least seven years, because there are documented reasons for why you are glad you did so.
MR. FANNING: I have a question that sort of goes back to use outside of the company. I would like to know the various situations where records are used outside of the insurer or the health plan, but by organizations with whom you have contracts. What are those different situations where some outside organization has identifiable patient information?
MR. LARSON: In our case, the only ones that we send that information to are primary care physicians that are contracted with us on behalf of the patient. So that physician would get a report about the physicians within their practice. Other than that, any information we send out would be coded.
MR. FANNING: Do claims come to you though through some other organization?
MR. LARSON: Yes, let me talk about that a little bit. We have in two ways most claims are received now; electronically through nodes or what in Utah is called UIN. The electronic records flow through that node, and then are resubmitted out to the insurer, so that there is one way for the providers to send in electronic claims, and then the nuances of the insurers are specified by the one company.
It's just sort of a cooperative arrangement between the providers and all the insurers in the state, so that there weren't multiple different formats of how to submit electronic records, so they all come in through one place.
Because we have a number of other claims that are not submitted electronically, we take those paper claims and pay an outside entity to take the data from a paper format and type it into the system, so that then they essentially become electronic records. So that outside contracted entity does get our claims, and types in the specific information that matches up with our system.
MR. FANNING: The organization that processes the electronic claims, do they have a contract with you where you specific how they use the information, or is there a contract principally with the providers, or what? What is their business relationship to the providers and to the plan?
MR. LARSON: I'm not positive whether it's a contract or not. I don't know for sure. I know that it is viewed more as a cooperative effort, but as far as a legal, binding contract, I'm not positive.
MR. LARSON: One of the issues in designing a law like this confidentiality law is how to cover these various other organizations that are part of the chain, but are perhaps not providers and are not payers.
MR. LARSON: Right.
MS. FYFFE: It's my perception that standing between providers and payers is a vast patchwork quilt of intermediary processors. For example, a physician in a smaller practice could submit paper claims to a billing service that then inputs them to their personal computer, which is transmitted to a local clearinghouse, which is transmitted to a regional clearinghouse, which is transmitted to a national clearinghouse that translates the electronic information to standard information so that the payer can accept it.
In the other direction, for payment purposes the payer would send information about the amount of the payment, and who the patient is, and what account needs to be paid at the provider, and that can go through a bank. It can go in the reverse direction, through a series of clearinghouses.
So there is quite a bit of challenge in terms of the security of that pipeline I think, between the provider and payer and back again.
MR. GELLMAN: Let me just say that this afternoon's hearing is going to be focusing on the claims processing thing, and secondly, that you are going to have to come up with a different metaphor than patchwork quilt, because we have always used that to describe the state of medical privacy law throughout the country.
DR. HARDING: Just a follow-up minor point. One of the things that Senate bill 1360 says is there is a new class of entities called health information trustees. One of them would be the employer. When you were talking, Mr. Kowalski, you said that the nurses and the physicians and so forth have kind of had it beat into them from the start that the patient's confidentiality and records are sacred, and the employer hasn't had that beat into them through their training.
Certainly that's going to be a real challenge, it seems like to us, to reorient a lot of new health information trustees as to what is truly important. We can certainly put penalties on it all, but the principles and the rightness of that -- do you agree?
MR. KOWALSKI: Oh, I wholeheartedly agree. That is going to be an educational challenge. Those companies or whoever will be the designee of that company needs to be educated as to how sacred those records are of employees, because to some degree, I believe the companies believe that those records are their records now.
They need to be educated to that point, like you said, that they are confidential, and that they need to be used with care. Like I said earlier, the two things that I think will help that, if there is a violation, the enforcement thing, that that would get out that coercion part under Bennett's bill.
If the employer himself has that responsibility, I think that there would definitely need to be an educational process if they understand that, because if they don't, there are going to be a lot of violations to that aspect, because like I said, small companies or even mid-sized companies and other places, where there is not a physician supporting the nurse, and in the smaller places where it is just the nurse, they truly have a difficult situation to deal with on a daily basis.
The nurse tries to educate, but they are only seen as well, you're an employee to do the section, this, this, and this, and you will do what we tell you to do. If in that proviso, somewhere the education is there, I'm sure it would be well taken and appropriate. I don't know how that educational process would take place.
MS. FYFFE: I think that the educational process is going to have to go down all the way to the community grassroots level. You've got Girl Scouts and Boy Scout troops out there that take children on camping trips for weekends, and they administer medications to the children, and troop leaders administering phenobarbital or something to an epileptic. So you've got a challenge in that regard; school teachers, et cetera.
MR. SCANLON: There's one other area, and I'm not sure anyone knows what the answer is, particularly in the area of underwriting I think for life or health insurance where information gathered at the enrollment or application stage ultimately may make its way to pooled underwriting information service.
Are there currently any laws or policies governing the confidentiality of that information? Under what conditions is it shared? I think it is clearly done in the life insurance, and I think as well in the health insurance industry.
MS. FYFFE: My understanding is that would be according to state law. Health insurance, life insurance is highly regulated by the states. As an example in point, since the advent of health care reform, the states in total have introduced 40,000 pieces of legislation annually that would pertain to health insurance companies. Thankfully, only a small fraction of those are enacted, but there is a lot of activity and a lot of regulation.
MR. KOWALSKI: I just thought of another analogy for Dr. Harding's question. Historically, since the early seventies, OSHA came into line reporting occupational illnesses and injuries. That's been a medical function in our corporation. In the past few years we've had this new emphasis on safety, where plant managers' bonuses are affected by the occupational injuries and illnesses that might be presented at a plant.
The recording process that OSHA has developed doesn't truly tell you how safe a plant is or isn't, because the injuries and illnesses have to be recorded. The way it's said, it's got to be recorded; it doesn't matter. So the one good thing that has come about is plant managers wanting to know and understand why all the sudden this is on their OSHA record, where before when safety wasn't the emphasis, they had hundreds of them and it was not a big deal.
Since it is tied to their bonus now, the information is more why do I have this OSHA? What's the problem? What caused it? I think that same kind of thing would maybe help with the -- evidently in the end, they have to sign the OSHA form that goes to the government, the plant manager signs it, and he is responsible, but we do the work in medical.
I think that same emphasis would come to records, it would be an educational process maybe on our part, but other places that they understand how important it is. I think that whole part of education is a big tool.
MR. GELLMAN: One of the purposes -- and this is something that has been said by Rep. Condit -- is one of the goals of the legislation is to change the culture of medical records, exactly the point that you are making, so that people who are used to causally dealing with this information, will all of the sudden say, well, wait a minute, this is now highly regulated, subject to penalties, and I have to be more careful. Just that change in attitude is very important.
I've got a couple of more questions I want to get to before we recess. One of the proposals, the McDermott bill, calls for the creation of subfiles of patient information where patients designate some of their information as specially sensitive. There would be different rules governing storage, use and disclosure of these subfiles.
I wonder what your reaction is to that, and what kind of administrative problems you might see from that?
MR. LARSON: Tremendous administrative problems. Our information systems that we are building now don't have specific portions of them that you can blind to others. That is an issue that we are trying to deal with, but it is more of a long term solution than a short term solution.
I think I would standpoint of saying all information is confidential. Everything should be treated with safeguards. If everything was treated with safeguards, then you don't need special subcategories and classifications. If everything is treated accordingly, then there shouldn't be a problem.
MS. FYFFE: Two comments; first of all, it would be an administrative burden to segment the information. The second comment is purely from a lay person's point of view, it strikes me that a patient is not really qualified to make a judgment about what part of their medical record someone should have access to.
For example, if you have -- correct me, Dr. Harding, if I'm wrong -- if you have a history of mental and nervous condition or depression and so forth, and you go to another type of a specialist for another disease, it is entirely possible that the medication that would be prescribed to you for this other illness could interfere with current medications you are taking for depression.
I think the providers would be in a terrible position of having to provide risky medical care, if you will, if they didn't know the whole picture.
MR. GELLMAN: Another issue; if we have a law in the United States that protects the confidentiality of health records, the protections could be lost if information is transferred to another country where there are no legal protections. I'm wondering if health insurers are far known? If any of them ever transfer information to other countries routinely, or store information outside the United States as an ordinary practice?
MS. FYFFE: Yes, we have health insurance companies with international operations. I also believe that the world is getting smaller. There are people for example, in the Washington, D.C. area who work here for two weeks and then go to Asia for two weeks to develop software. More and more of commerce is international, and I think that again, that is a challenge, because the different nations of Europe and Asia do have different sets of laws.
MR. GELLMAN: Finally, I want to ask about the health identifier issue. This is one of the more difficult questions about what kind of health identifier is to be used.
It seems to me that you can categorize the proposals in three ways. One is to use the Social Security number. There has also been a proposal for a modified Social Security number. Then there are proposals for some new, unique health identifier. I'm wondering if you have views or preferences or thoughts on that?
MR. LARSON: We're creating a master. We call it an MMI, master member index. A master member index is designed that no matter where a member seeks care within the system, all of their information is recorded to one central place. Within that system, each member receives a unique MMI number. So we are essentially creating our own numbers.
As you know, there are a number of people who won't give you their Social Security number for any reason, and they are readily identifiable. It's almost like giving your name if you give somebody your Social Security number. So that's not really a protection. So we are using these separate MMI numbers.
MS. FYFFE: A couple of comments; the vast majority of insurance companies in the United States, as well as third party administrators currently use the Social Security number as the key to their database for processing. Changing those systems will be very expensive. I put together numbers a few years ago that indicated that it would cost around $3 billion to change the identification number for patients.
The other comment I want to make is that it's not the number itself that is the problem, it is the security procedures surrounding the use of the number. Even if we move the country to another set of identifiers, if procedures are lax, policies are loose, we could have the same problem that we currently have with the Social Security number and the emotions surrounding potential violations of security.
MR. GELLMAN: Well said. Anybody else?
DR. HARDING: Kathleen, could you reassure of the question about the data being transmitted out of the country and stored. If my health insurance CPT codes and so forth are contained in a company who has an international presence, it's possible that that could be in some other country with different rules and regulations?
MS. FYFFE: Correct.
DR. HARDING: Thank you.
MR. GELLMAN: Depending on the country, you might be better off.
MS. FYFFE: Yes, you could be working for an international country and be stationed here in the United States. In South Carolina it could be -- what is Mercedes Benz that has an operation?
DR. HARDING: BMW.
MS. FYFFE: BMW, sorry.
MR. KOWALSKI: Specifically, we have employees that go overseas, since we are in the overseas market. France and China have specific physical exams that they want done. Basically, we do the physical exams and these employees take the information with them. Some of it goes to somewhere in their government. What happens with those records, we have no idea, because it is required by that country for them to get their temporary permits to go and work there, so that is an issue.
MR. SCANLON: Just quickly the reverse. What about organizations that are headquartered let's say in other countries, and transfer medical information back here. What is your experience with that? Have they done it?
MR. KOWALSKI: It's interesting that you would say that, because the information that we have given on any of our employees that have gone overseas, when they have returned to stateside assignments, nothing has ever returned with them.
MR. GELLMAN: I think we are going to break at this point. I want to thank the witnesses. It's been a long morning, and I think a very profitable one. I am most grateful for your participation and your candidness.
We will reconvene here in about an hour.
[Whereupon the committee was recessed at 12:05 p.m., to reconvene at 1:00 p.m.]
A F T E R N O O N S E S S I O N (1:07 p.m.)
MR. GELLMAN: This afternoon's panel is on claims processing, which is an issue that we touched on this morning. Now we will get into in greater detail.
We have two witnesses. I'm going to ask them to identify themselves, and their organizations. We will begin with you, Mr. Burleigh.
MR. BURLEIGH: My name is Robert Burleigh. I am President of Brandywine Health Services. I'm here on behalf of the International Billing Association.
MR. GELLMAN: Where is Brandywine located?
MR. BURLEIGH: Our headquarters is in Malvern, Pennsylvania, a suburb of Philadelphia.
Good afternoon. Today I have the honor of representing the International Billing Association. On behalf of IBA, I would like to thank you very much for the opportunity to appear before your Subcommittee on Privacy and Confidentiality.
IBA is the only trade association representing medical billing companies. These companies employ nearly 20,000 people nationwide, processing an estimated 650 million claims, or nearly $55 billion in medical claims annual.
A one page profile of our members is included with our written testimony, which has been provided to the subcommittee.
We are here today to explain what third party medical biller do, and discuss Congressman Condit's legislation H.R. 52, the Fair Health Information Practices Act of 1997, and to offer some suggestions on trying to strike a balance of the legitimate needs of those who must have access to medical records to perform their functions, and the equally legitimate desires of patients to insure that their medical records remain private and confidential.
Let me begin by emphasizing that IBA strongly supports the goal of protecting confidentiality of patient health information through federal legislation. To this end, we have worked with Sen. Bennett's staff and Rep. Condit's staff and provide sector organizations over the past two years to craft legislation that seeks to meet the needs of patients, providers and billers.
Unfortunately, to date we believe that the Bennett and Condit bills extend the common goal, and instead would result in higher costs for consumers, and defeat the goal of administrative streamlining through the imposition of new and complex administrative requirements.
To continue to facilitate the effective and efficient delivery of high quality health care, while insuring patient confidentiality Congress should adopt federal legislation that focuses on appropriate versus inappropriate uses of patient health information.
Before discussing our comments on Rep. Condit's bill H.R. 52, we thought it would be helpful to first explain what billing companies. Billing services vary widely in the scope of services offered, and the manner in which they conduct business.
The most common elements of billing are the processing of claims for practices that consist of: patient identity; resident and telephone number; patient and/or insured party employment; the insurer's policy numbers; dates of service; identity of providers and their identity codes; the services performed; the diagnosis for those services; place of service; and in the case of worker's compensation or tort liability, accident reports and/or incident data.
The variety of additional patient or service-specific information and/or attachments are considerable. Many hybrid arrangements exist as well whereby providers perform portions of the billing functions, and hire a service bureau to complete the process. This junction is also where the claims clearinghouse segment of the industry plays an important role, and it is there also independently hired by providers to support claims submission.
We have reviewed Rep. Condit's Fair Health Information Practices Act of 1997, and have prepared our comments on the basis of this bill, as well as our knowledge of the provisions of Sen. Bennett's bill S. 1360. We have also outlined some additional issues in our written testimony that we believe will bear on the efforts of this subcommittee, and the responsibilities assigned under HIPAA to recommend legislation regulations to protect a patient's right to privacy and confidentiality of health information.
First and foremost, we want the subcommittee to know that we strongly support the goal of the Condit bill, which will require confidentiality on the part of those who have in their possess, protected health information, including billing companies.
Secondly, we believe that anyone, including billing companies, who violates the confidentiality of protected health information should be penalized.
We disagree with the Condit and Bennett bills when they seek to impose obligations on billing companies that are, in our judgment, only appropriate for the originators of the medical records. We can support standardization procedures.
Allowing individuals to access their medical records through billing companies would be a breach of the biller's legal duty to honor the patient/physician privilege. It would also be a breach of contract liability for disclosing and/or changing information without the legal authority or qualifications to do so.
Further, disclosing or changing clinical information without possession of the original document or record would not only be unethical, but could also result in payment errors that could negatively impact patients and providers.
We cannot accept any federal legislation that would allow individuals to walk into a billing company's offices and demand to inspect, copy, amend or correct the medical record information in the possession of the billing company. In other words, billing companies should not be considered in either the Condit or Bennett bills as health information trustees in terms of patient access to medical records under any circumstances.
All of these functions should rest squarely with the originating provider of the medical information. We would define the term "originating provider" to mean the health care provider who initiates treatment or generates information which is or becomes part of an individual's medical record.
We do believe that billing companies should be required to maintain the confidentiality of the medical record information they receive from health information trustees, therefore we do support and agree with the requirements of Section 105 of the Condit bill concerning safeguards.
Regarding authorization for disclosure of protected health information, which is Section 112, we are concerned that the disclosure requirements could create lengthy delays in obtaining authorization, which could result in claims processing taking days and dollars to perform, whereas it currently takes seconds and pennies to perform.
In the ordinary course of business, many forms are used to accomplish the same function for multiple providers, particularly in hospital-based settings. In addition, identification of payers to receive the information, and the information which they will receive is subject at the time of the consent, which is crucial to informed consent, is often not possible.
Maintaining a copy of the authorization, as envisioned in the Condit bill, Section 112(f) also creates a problem. Providers, and in particular hospital-based providers often never take custody of these documents, nor do they convey them to their billers.
We would recommend that the Condit bill provide an exception for hospital-based physicians whereby the hospital would receive the general authorization to disclose protected health information for payment purposes to billing companies, other third party billers and insurers for all of the medical providers who are hospital-based.
Given the time constraints, I would refer you to our written testimony, which discusses in more detail these and other concerns and recommendations I have briefly discussed today.
On behalf of the International Billing Association, I wish to thank you for the opportunity to be part of your deliberations. In addition, we stand ready and willing to offer the assistance of our organization and its members in providing further input and commentary in the development of recommendations for the secretary.
MR. GELLMAN: Thank you. Let me just say that I think you have raised some good points. I think that some of your concerns are actually already reflected in the Condit bill. Maybe the bill doesn't describe its intent as clearly as it should, or you haven't read it right.
Jeanne, you are next.
MS. SCOTT: I'm Jeanne Scott, and I'm with CIS Technologies, a national data corporation company. CIS is a subsidiary now of National Data Corporation, one of the largest processors of health care information electronically. Today, CIS and NDC together process over 250 million transactions annually, and we expect to be handling over 2 billion -- that's billion -- such transactions a year by the year 2000. The numbers are increasing almost exponentially.
CIS and NDC belong to the Association for Electronic Health Care Transactions, AFEHCT. AFEHCT is the trade organization for the many vendors, suppliers, software developers and electronic transmission networks that are taking the concept of electronic data interchange -- or as it is now frequently called, electronic commerce -- in health care from the drawing board to the operating room.
Our membership includes some of the largest and most recognizable corporate names in the country -- IBM, EDS, Unisys, many of the R-BOCs -- as well as smaller, emerging companies such as my own, all working on bringing health care EDI to reality. We are making the private sector investment today to build the electronic capabilities that will be needed tomorrow.
I emphasize the fact that these are the companies that are building the electronic highway, the network. They are investing hundreds of millions of dollars into the system.
Our member companies this year already are processing 1 billion transactions electronically -- paperlessly, saving trees -- less expensively claims inquiries, authorizations, insurance approvals and remittances.
As we move toward the processing and transmission of clinical and other medical data, telemedicine and outcomes and quality research, we expect that number of transactions to double, triple and quadruple each year over the next few years. Future estimates for our industry are that we will be handling and processing literally tens of billions of transactions by the turn of the century.
Estimates of the administrative overhead, the paper and bureaucratic burden associated with health care delivery vary from 14 to 35 percent, depending on who you have been talking to this week. Even assuming that only half of the lowest estimate might be saved, that would be nearly $75 billion in 1997 health care spending.
Even more might be saved through the identification of ineffective, duplicative, and unnecessary service, a process made far more feasible, effective and available as a tool for health care management through the use of EDI.
It is not an understatement to say that administrative simplification and the use of electronic technology in health care communication and management can be and should be, if we don't place unnecessary burdens on its use, a major factor in resolving the sometimes seemingly intractable challenge of providing needed health care services to all of our nation's people, both today's elderly and young, today's poor and uninsured, as well as tomorrow's growing population of soon-to-be seniors.
CIS, NDC and the member companies of AFEHCT are here to support the development of national, consistent and workable medical record privacy standards that will help us as we are building this network move forward in the designing of the tools, the products and the services that will make the future delivery of health services administratively, and perhaps most importantly, economically feasible.
Many of the proposals that have been put forth, including last year's Bennett-Leahy legislation, and the bills already introduced this session by Congressmen Condit and McDermott, among others expected and yet to come, and the call for implementation of privacy and security standards in Public Law 104-191 are expected to give our industry clear guidelines in developing these needed tools.
CIS and NDC support workable systems that will optimize individual protections and assure that the advantages offered by EDI and electronic commerce in health care will not be outweighed by the costs to individual privacy and personal freedom.
Optimization does not mean maximization. We have two very important social goods at play here, the protection of privacy of individual identifiable medical information, and the development of critically needed, cost-saving administrative systems for health care. The two should work together, and one should not impede the other.
This must not be allowed to become an adversarial system. We cannot allow such an important issue to get bogged down in a shouting contest among the players and participants. Each must try to recognize and work together in seeking optimization. All sides have to be open to the needs of our society and our technological capabilities in addressing these needs effectively and cost efficiently.
When I had the opportunity to represent the health care electronic data interchange industry in testifying in hearings before the Bennett-Leahy proposal, S. 1360, I acknowledged the very real concern that we all must have about our private and personal information, that it not be carelessly used or unnecessarily exposed to illegal usages.
"Hit me up both sides of the head with a big stick," I said, "If I or my company violate this law." We should go to jail if we are so callous as to disregard the basic integrity of an individual's personal identifiable medical data.
In our zeal to protect these most inviolable of interests, we cannot lose sight of the need to not only reduce the administrative complexity of health care administration, both financially and clinically, but to begin the process of using data constructively to improve both the quality and the efficacy of health care services, at the same time reducing the growth in health care spending to a more manageable level. We are spending $1 trillion in health care in this nation, and we need to spend it well.
Despite all these good intentions, however, there are still many roadblocks that have to be overcome. The horror stories of the use and misuse of personally identifiable data are all too real and cannot be disregarded.
Nevertheless, the concept of computerized systems are or will become some sort of big brother and the potential villain in all of this has arisen, despite the fact that virtually every one of the horror stories of privacy and confidentiality violations, ranging from the office clerk who stole a copy of Arthur Ashe's medical file to sell to a tabloid newspaper, to the mental health records piled in a trash can in Louisiana, virtually without exception all of these arose in a paper environment, or would occur just as readily in the paper environment, as in the electronic.
Computers and electronic processing of data are not the bogeymen in this matter. The solution is not to place barriers on computerized systems, but rather the solution is to embrace the technology, while at the same time insisting upon optimum levels of security and protection, coupled with appropriate disincentives, including as necessary, criminal penalties for the hackers and abusers.
Sen. William Bennett, in introducing S. 1360 very aptly described the dilemma. We cannot prevent a determined hacker or abuser whether the process is electronic or paper. What we can do is:
(a) spell out a clearly expressed national policy on the use and misuse of personally identifiable medical information;
(b) adopt national, uniform and effective standards for guiding the health care industry, including requirements for automated processing;
(c) set limits on uses for such information, i.e., prohibiting the direct marketing of such information, and its misuse in employment, insurance or other service or benefit qualifications; and
(d) provide assurances that if and when such abuses do occur, they will be dealt with effectively, and with appropriate punishments leveled.
Deterrence, awareness and requirements for optimum security within the advancing technology are the answer, not heedlessly suggesting that technology is the problem, and not by holding back the opportunity to use data for the better care of the individual, and the more efficient and cost effective management of our nation's health care system.
For myself, CIS Technologies and National Data Corporation, and on behalf of AFEHCT and its many member companies we stand ready to work with the subcommittee, the National Commission and its staff in addressing the issues of optimization, drawing lines and working out solutions to these critical needs for our nation and our people.
I thank you for the opportunity to be here. Tom has presented a paper which goes into the processing, what our companies do at more length and that is for the record.
MR. GELLMAN: Thank you. Tom, do you want to identify yourself?
MR. GILLIGAN: I'm Tom Gilligan, and I serve as the Executive Director of the Association for Electronic Health Care Transactions.
Bob, I would like to take about two minutes to cover a point that was raised in Mr. Burleigh's testimony, and reinforce it.
On this document, if you would go to the page that says, "Connectivity," I would like to deal with a little bit of the flow of the data in our industry, and why the issue raises a couple of points as to why disclosure of protected health information and security, especially encryption are important items for us.
The first page after "Connectivity" is a description of how the data flows from a physician provider to possibly a billing service, possibly directly to a clearinghouse, maybe directly to a VAN, to another VAN, to a payer.
MR. GELLMAN: Do you want to explain what VAN is?
MR. GILLIGAN: VAN is a value-added network. It's an organization that buys telephone time in great bulk, like in the hundreds of millions of dollars, and then manages that time for individuals it resells it to, like individual doctors, hospitals, what have you.
So the data would go through a VAN, to a clearinghouse; a VAN to a clearinghouse and another VAN to the payer. As you can see, there is all sorts of connectivity there. It also goes back the same way in many instances, although in some of these things, when a bill gets to a payer and a payer pays it, a bank may be involved in the processing of what is called a remittance advice.
Following that chart, I have got a prose description of the connectivity and who gets to do what, who chooses the value-added network. It is usually the receiver of the document who chooses the VAN that the provider would have to use.
You may have as many as three different clearinghouses involved in one transaction. You have a provider selected clearinghouse, and that would go to a national clearinghouse like any NAIC or CIS or National Data Corporation.
You may have a payer selected clearinghouse such as one of the Blue Cross plans, like the one in Maryland have identified somebody like EDS to be the receiver of all their electronic claims. So in between those clearinghouses value-added networks are involved.
The reason I want to bring this to your attention is that with respect to disclosure provisions, all the legislation provide as a general rule, you may not disclose protected health information except as authorized under this type. The way the rules are written, the way the statutes are written now, let's say for instance S. 1360, an agent who receives protected health information from an entity -- this is again, in the general rule -- shall be subject to all the rules of disclosure and safeguard requirements under this title.
Which means they have to obtain an authorization for disclosure from the patient before they can disclose to the next value-added network or clearinghouse in a chain. Again, to borrow from Mr. Burleigh, to get those authorizations is going to reduce this back to a paper operation, and develop a system which takes days instead of seconds, and dollars instead of pennies.
I think that about covers it. It is my opinion that because of the general rule, that specific legislative language that allows each entity in the chain of command, a chain of companies that it takes to get an electronic transaction from provider to payer and back ought to be included in the legislation.
MR. GELLMAN: Thank you. We're going to get into the details of some of this in some of our questions.
Mr. Burleigh, you said that you support legislation. Of course, you would like to see some of the proposals amended here and there.
I didn't hear that from you. Jeanne, do you support --
MS. SCOTT: We call for legislation. We are looking for this help. We consider this to be a help to our industry, because right now without guidelines, without standards, we are flaying around. We are investing millions of dollars. We are in danger in some of these investments, so as an industry we are very supportive, because we need to know what to do.
We don't the system to put barriers to the development of these things, but we have to know where we are going with this, because we are putting at risk literally hundreds and millions and billions of dollars.
MR. GELLMAN: By the way, your two organizations, what is the relationship between the two? Do you overlap? Do you compete? Do you have common members?
MR. BURLEIGH: We have many common members. We are customers of their industry. Most of our members use clearinghouses. Some of our members are clearinghouses as well, some of the larger ones. We are mostly customers and transactors with the clearinghouse industry, as we refer to it, the EDI industry.
MS. SCOTT: I think that is a fair statement. Even my own company for example, who are building the network, but we provide other -- I will use the expression -- value-added services to the data, which may be in the area of billing, billing analysis, all sorts of other consultant services, so in that area we are compatible, and even have the same members.
MR. GILLIGAN: Over the electronically formatting of the transaction.
MR. GELLMAN: Let me ask a sort of basic question. I think Tom, your presentation really touched on this, but I really want to get some of the basics out on the record. The traditional view of disclosure of identifiable patient information is that it is all done with the consent of the patient. You push the button and that has been the standard answer you have gotten for the last 20 years.
So my question is -- and taking note of the complexity of this chart -- why can't we let patients control the flow of their information through the payment system with consent? What's the problem?
MR. GILLIGAN: I'll take a crack at it. That is, to what extent do you want to tell the patient should he know each value-added network that his claim goes through or his eligibility transaction goes through? Should he know each clearinghouse that it might go through? Should he know which billing service is going to be involved, if the remittance advice, which comes back from the payer, which also carries something that identifies him, his claim, and what was paid and what was not paid, should he know that as well?
If so, you are going to have a consent form that is pages and pages long. Given the complexity of telecommunications these days, you may not know which route your telephone call goes through, because some node is busy in one part of the country, so it might go around.
MR. GELLMAN: Don't we know who the key players are? I go see my doctor. I have the same insurance company. Aren't the same players involved all time?
MS. SCOTT: At this end and this end, but not in between. That becomes the issue.
MR. GELLMAN: So there is an uncertain and unpredictable path that the information goes through?
MS. SCOTT: I think probably what we have seen with the major telephone companies in their efforts, they have one animated version that I have seen where the line goes, and it is busy here. It pings back here. It just literally goes and bounces all over the country. They have a global map of the United States there, and it is bounced through maybe 20 or 30 or 40 different lines, all in split seconds mind you, so that it's invisible to the person at this end and at the other end, what it might have done in between.
That is the same type of issue. It leaves the physician a small piece over here, and you're trying to get it to the payer or payment processing, and then back. They don't know at this point in every situation, exactly all the loops that it might go through.
If we insist that it has to go a certain way -- that is where we end up going -- then we're going to put impediments to designing this system. We want that flexibility in here. That's why I'm saying we don't address it by saying you've got to do it this way, and limits and things. We address it by the overall standards that we set for how these people play in the arena, and that's why we are looking for help.
MR. GILLIGAN: If you provide the level of detail to the patient as I outlined it, it is probably possible, but not necessarily desirable. It then implies that the patient has an option of saying I don't want my data to go through thus and such an entity. That is going to really foul up the business relationships that companies have.
The patient, in that kind of a situation, if he doesn't want his data to go electronically, should mail his own claim, or have his claim mailed by the hospital, as opposed to sent electronically. Then you are talking about the hospital's cash flow as well.
MS. SCOTT: That's not a solution. It's a solution maybe to the immediate, but it's not a solution when we look at the optimization that I talked about, because at that point, if somebody insists that it has to go on paper now, not does the provider have to have that paper capability and the costs that go with that, then the payer at the other end has to have that capability, and it's a tremendous increase in cost.
I think HCFA has come up with some estimates on the difference between electronic processing and paper processing in terms of costs. Multiple that by the billions of transactions that we have already talked about, and we are talking megabucks.
That's what we are trying to get at. That's is a solution. It might more in the way of helping to maximize security, privacy for that individual in their own mind, but what we have to do is say that's not the optimization. We've got to try to stay away from that, because that is just going to bog the system down and raise the cost tremendously.
MR. GELLMAN: Mr. Burleigh?
MR. BURLEIGH: Let me give you a couple of illustrations. Patients admitted to hospitals often talk about the mountain of paperwork that they have to go through to get in, sign their life away. The informed consent, meaning as a consumer I'm going into an institution. Many people are going to take care of me. Some of them are related to the institution, and some of them are not.
Before I agree in advance to be treated, and before I agree in advance that my health information can be transmitted in various directions, the amount of paperwork -- I can't estimate it accurately, but it would multiple 10 or 20 fold, because a patient going in for surgery is going to have a surgeon, an anesthesiologist, a pathology to examine the tissue that is removed, if any is, a radiologist to read x-rays, a cardiologist to read their EKGs; if I was admitted as an emergency case, the emergency physician practice, and so on.
The idea that a patient would have to knowingly consent in advance for each of those providers to have and transmit that information, each of them often using a different source for billing; some do their own, some contract it. Sometimes the hospital does two specialties and so forth.
The amount of information the patient would have to be confronted with, and the number of consents to be signed -- and that is before we definitely know who is going to be paying the claim, because that information often involves subsequent to the patient's admission. So it is a matter of then of when do we know who is going to get it?
Do I have to consent to the information going to a billing company, or generically in the custody of a physician, who is then delegated to see to the rest of the process. So how many steps have to be controlled? How much consent has to be given?
As I mentioned in my longer written testimony, one of the potentially unfortunate outcomes would be that physicians and other providers might decide not to accept insurance, since they are not obligated to accept the federal programs, and simply deal on a cash basis with the patients, as things used to be many years ago, when health care wasn't as expensive as it is today.
The public approaches health care as something that is insured and in effect paid for, and has accepted thus far that the transactions that go behind that take their own natural course, without trying to control it. Consumers have a right to privacy. Those who handle the information have the duty to protect it.
So I think we're all in the same place there, it's just a matter of how we accomplish that, and how many steps are added to the process, and what that costs, because somebody is going to have to pay for it.
MR. GELLMAN: Richard?
DR. HARDING: I appreciate your testimony so far. I am a psychiatrist, a physician, and get into that billing issue. Reassure me that the electronic things that I send off are not going to be listened to by a Bearcat scanner so to speak. Are there any side tracks in the big highway in the sky electronically where information can be inappropriately side tracked or broken into, or things like that, that others outside of the system could be utilizing it for not so good purposes?
MS. SCOTT: I think again, while we are sitting here, yes, there is an electronic process that is going to digitize data down to the thing. As I said, and Sen. Bennett said, a determined hacker, for whatever reason, can probably break even the most secure -- the air force system was down a couple of weeks ago. They are going to get into a system.
So I think while we want to have the security of the data and the rest of it, and maintain it, I can't, and I don't think anyone could say that it would never be reachable by someone for whatever nefarious reason.
I think the main problem is not the hacker, or the guy with the scanner or something, as it is at any one of these places, somebody is using the data for some other purpose other than it was intended for; having access to the data legitimately, but misusing it in terms of -- that's why we are looking for some standards in terms of the legislation. What it can and cannot be used for, and how these penalties and assurances for this misuse.
When we get into start saying you can't do this when you send it that, or you can only send it one way, but not another way, then we start to put barriers in the development of the electronic processing. My concern is that we don't try to solve one problem by creating another.
MR. GILLIGAN: Could I add to what Jeanne has said? This electronic health care transaction industry has been alive and well for about 15 years. People have been using credit cards to pay for their health care transactions for a lot longer period of time.
In all the horror stories that have surfaced thus far, not one of them involves the electronic transmission of health care data. So I mean, yes, it is a technological possibility. Does it happen? The answer is the history is no.
MS. SCOTT: It would be easier to break into -- instead of intercepting the transmission -- to break into one of these sites where data is stored, and view data on their computers or something of this nature. That type of thing could happen. Like I say, that's where we have various security measures and requirements, and we are expanding and improving those as we talk, all the time, for the outside hacker.
Again, I think the major problem or the potential problem isn't the outside hacker, although that exists, as it is the inside misuse of information by any one of these people who have gained access to it legitimately, and then for whatever purpose or reason, it ends up getting misused.
One of the allegations down here at the payer end, and I know you heard from the payers this morning, they get the data here for payment and they have the potential to use it for all sorts of other purposes -- employment applications, security, and this type of thing, where it starts to become another issue. That is where again, I think we looking at that process.
MR. SCANLON: A couple of things. I assume that there are standard security practices already in place. Even over the Internet there are sort of standard protocols you invoke when you are sending identifiable information. That is presumably standard practice, and you continue to work on that in this electronic transfers.
MS. SCOTT: That is correct.
MR. SCANLON: When a clearinghouse or a VAN does receive identifiable information for claims processing, other than the reformatting or other value-added processes, what typically -- is the work of the clearinghouse largely reformatting and standardizing intermediaries?
MS. SCOTT: In the pure clearinghouse application, yes. In other words, the clearinghouse is just that. The data comes in, and it comes in, in one format. In order to send it to the next place, it has to be formatted to go there. The next place is usually ultimately the payer; from provider to payer or back the other way. So that is one of the major processes.
Increasingly there are other services that may be provided. There may be various management assisted computer program services that are provided. There could be a request to look at the profiles of doctors and this type of thing to develop practice plan profiles with the data and the like.
As we get into managed care, we are seeing more and more of these kinds of requests for information. Depending on the contractual relationship between the parties, these will or will not be provided, or cannot be provided.
Where our companies compete sometimes isn't as much on the clearinghouse function. That has gotten down almost to the commodity level, where it is actually fractions of pennies for the transaction now, not even pennies anymore. Where we are seeing our companies competing are in these value-added services that they can provide.
MR. SCANLON: Are there any value-added services -- you described what is largely statistical profiles of information, which clearly doesn't affect an individual whose record you would come across on the clearinghouse aspect. Are there any potential services that would not be in the interest of the individual -- provider profiling or statistical summaries or aggregates or profiles?
I guess I'm less concerned about with the full service clearinghouse or VAN is there potentially any service that involves the use of the individually identifiable health insurance?
MS. SCOTT: I can come with a couple, and I think the classic one that is sometimes discussed is we get everyone who has a particular disease, and we know that there is a pharmaceutical treatment for this disease, and we are going to cull off in the process, everybody that has that disease diagnosis and sell that list to a pharmaceutical company who will direct market their products to them. That can done.
MR. GILLIGAN: But we don't do it.
MS. SCOTT: But we don't do it. People talk about it, but that is again I think that this is the thing where we are saying, all right, we will resolve our issues going forward. That is an unethical, immoral, tasteless process. Hit me on both sides of the head with a stick if I were to do it and misuse it. It is clearly a potential that can be done, and it's one of the things that we are asking to address. We do need to address those issues. I think there are people out there who would abuse it.
MR. GILLIGAN: Jim, we made a presentation to some folks in HCFA a couple of weeks ago with all sorts of slides that dealt with the kinds of services a billing agent might provide, a clearinghouse might provide, a value-added network might provide. We will be happy to give you those for distribution to the committee if you wish.
MR. SCANLON: That would be fine. One more question, in virtually every case and the scenario described, there is some agent relationship between the provider and the clearinghouse or the payer and the clearinghouse. It is not quite as potentially random a message.
MS. SCOTT: There is always a trading partner agreement between all of the levels.
MR. SCANLON: So procedures could be developed where the provisions extended to agents I guess of the providers or the payers.
One other question, is there in the industry itself, any set of preferred policies and practices on a voluntary basis?
MS. SCOTT: In ours -- and I'll let Bob address that from the billing -- there is an organization called the Electronic Health Network Accreditation Commission, EHNAC, which has been established. We took the leadership role at AFEHCT in creating it four years ago now.
We spun it off as one of these things, and I wrote the original by-laws for the organization just to give you an idea, and I have no idea who's on first now. I know who the executive director is. I don't even know who their commissioners are today, because I basically took a very arm's length approach to this. If we were going to be accredited by them, I did not want to have anything more to do with them. They would look at us as a truly independent agency.
They have a whole section on security and privacy as a requirement in their accreditation standards. Not every clearinghouse is accredited, but quite a few are now, and more are becoming accredited as they go through that process. So there is kind of a both standards, and if you would call it a code of ethics or something, that would go in the behavior as to how these kinds of things do.
There has also been a lot of development of course in the development of standard trading partner agreements and arrangements which spell out some of these relationships and how they go on that.
MR. GELLMAN: Is it similar, the accreditation for your companies?
MR. BURLEIGH: There is no accreditation process for billing companies. It has been discussed at a number of our meetings, and because of the subjective nature of the services, it is not a generic process. So in the EDI industry, you are receiving data. How you house it, how you convert it, how you communicate it back and forth is a little more objective.
What we do in this industry varies significantly and there are various ways to do things. So it has been talked about. We have actually begun to develop training programs for the accreditation of persons, people who do the work for the companies.
We do, however, have a code of ethics and a set of by-laws that the organization adopted when it was created five years ago in 1992. We can provide you with copies of those. We strongly support a number of behaviors or conducts, one of which is the protection of privacy of the information. That was a specific issue when we incorporated, because we had information that there were companies who fortunately are no longer part of the industry, who were doing things similar to what was described a moment ago.
The example may or may not be a little bit more benign than the one used, but someone was processing claims for an obstetric practice, and was selling the names and addresses of women who had delivered to insurance companies who wanted to sell life insurance policies to the family. I don't know if that was harmful or not, but it was certainly information which anyone would consider private, which was released without anyone's permission. So you can go down to vital statistics and get that information nevertheless.
We also advocate a written contract between the customers of a billing service and the company. I teach one of the courses for the association on model contracts. One of the elements of that is a confidentiality statement between the company and the customer. That extends to each employee of the company, so that everyone who works for the company signs a separate document recognizing the duty of confidentiality of the medical information that they have possession of from time to time.
Finally, most billers now are beginning to develop compliance programs, compliance motivated primarily because of IRB(?) enforcement, and the Office of the Inspector General's initiatives on coding and other activities. So this is very easily incorporated should legislation be enacted to say that compliance with confidentiality and privacy would also be part of the compliance plan.
MR. GELLMAN: You said that companies are no longer engaged in these practices of selling --
MR. BURLEIGH: As best we know.
MR. GELLMAN: That was my question -- how do you know?
MR. BURLEIGH: We have no way to police. This is a voluntary organization. We have no way to enforce it. We could revoke membership, but that's about it.
DR. SCHWARTZ: I'm wondering if any of you can address the extent to which privacy and confidentiality educational programs exist in the industry in particular that might reside in these full service clearinghouses or VANs?
MS. SCOTT: I was in Tulsa, our corporate headquarters, Friday and they had what we call an all hands meeting in which I gave my monthly privacy and confidentiality hell and damnation speech that I give. It is an integral part.
We have an employment agreement that every associate in our company signs, among which on that now has been added a section in that dealing with the fact that they are handling personally identifiable medical information. In the statement it says that any employee would be immediately terminated for the use or misuse of this data. We talk about that within our training program.
That is one of the requirements, to have this kind of in-service training as part of the accreditation program that EHNAC has.
MR. BURLEIGH: The billing industry does not at the moment, or has not historically. It has been something well understood, but lacking any legislation or regulation to motivate it, it hasn't been discussed as a formal issue.
DR. HARDING: Did you both kind of say in so many words that you didn't want to become health information trustees? That there is some kind of an onerous task involved in that? What's the problem?
MS. SCOTT: As defined in S. 1360, as that term was used in the original version of Sen. Bennett and Sen. Leahy's bill, that trustee had responsibilities for disclosure, had responsibilities for getting the authorizations, had responsibilities from making corrections and amendments to data.
Our problem there -- and Bob has heard me use this expression before -- we store our data, we literally store the data for our clients. Our contract says we store it for seven years. Our company had its first installation in 1987, so we are 10 years into our product. We still have the data from that first year. We have never gotten rid of it. We don't know what to do with it actually. We go back the 10 years.
If Mrs. Jones showed up at our door store saying you've got to correct this, I've got major problems first of all -- we don't store databases by Mrs. Jones. Databases are stored by our client identification, which in this case might be Mercy Hospital or City Hospital or Dr. Smith or Dr. Brown. Then we would have to go through and do a complete search of the data. That is one problem.
The second problem is I have no privy to Mrs. Jones showing up asking me to do this. If it is medical data, if it is a diagnosis code or something like that that she wants changed, I can't change that.
DR. HARDING: So "guaranteeing" the confidentiality you don't have a problem with, but it is the correction and that type of hassle factor.
MS. SCOTT: All of the burdens that would be put on, that would add costs and slow down all of this processing taking place, which we are now doing, as I said, in seconds at fractions of pennies really.
MR. GILLIGAN: Doctor, in many instances these companies don't maintain the data. In a value-added network, it just goes through. They never even look at it. So they don't keep copies of it.
If they maintain the data, then we should be subject to amendment and correction, but only at the request of the provider who rendered the care.
MR. BURLEIGH: There's a very significant difference between their part of the industry and ours. That is, we do deal with the public daily. We deal with the public a great deal. In order to help the process, billers are hired to get the money for the provider primarily. In order to do that, we have to contact the patient to say, well, we didn't get the information about your insurance, or there was a missing digit, or a missing data element. We can't submit the claim on behalf of Dr. X until we have that.
So there is regular dealing. Our members generally can identify with great accuracy, Mrs. Jones and all of the services that Mrs. Jones has had over the last year or the last five years, the last seven years; because of the statute of limitations on Part B liability for Medicare, most members store the data that they have processed, at least in an abstract form, for up to seven years, although that is not always true.
The really issue is that Mrs. Jones calling or Mr. Jones calling the billing company to say, I'd like to see what you have on record. We can show a CPT code. We can show a diagnosis code. We might even be willing to sit down and explain to them what each of the codes means, but at that point there is a problem, because we have been authorized to submit the claim and collect the money from an insurance company. Most members have not been authorized to counsel the patient about that information and what it means.
There are a number of members, who as a matter of policy on behalf of their customers, will give out the code, but not explain what the code is. If the patient wants to go get an ICD-9 book or DSM4 book and look it up, they then have it. It could be argued that they shouldn't even do that.
It would be entirely appropriate for a customer, for a practice to say you're not allowed to tell my patient anything except the amount of the charge or maybe the particular CPT code for the service, but not the diagnosis. That is a doctor-patient relationship.
So having a patient who then says, well I want you to tell me what it was, and now that I know what it is and I don't agree with it, I want you to change it, that's a genuine problem. In fact, it is a problem that billers deal with, because there are some insurers who play games with their communication with the patient. Let me explain what that means.
If I have Company X as my insurer, and the insurance policy my employer purchased happens not to cover medical care -- it covers injuries and so forth -- but I have the flu and I go to the doctor, and I want my insurance to pay for it. They will bill it for me as a courtesy, but I know and a lot of patients hope that it will get through; but it doesn't.
The insurance company denies the claim. The biller bills the patient. The patient calls the biller to say well, why didn't my insurance pay for it? We don't know; call your insurance company. The insurance company is called. The insurance company says, well, we would have paid that, but the provider "didn't code it correctly," meaning they didn't submit a claim coded for a service that we cover.
They kind of cop out on telling the truth about the coverage. So now there is this push-pull between the patient and the biller, who is speaking for the provider, saying well, we want you to change that information in order to get my insurance company to pay something they would otherwise have not paid.
So now it creates potential for conspiracy to commit fraud and all kinds of other dirty deeds, simply because we want to get an insurance company to pay something that they didn't intend to pay for.
MR. GELLMAN: I was going to get into this later, but since it has come up now, let's talk about it. One of the difficulties in designing legislation is figuring out who exactly has what role. It is easy when you talk about providers or insurers. They all deal with patients, and they all have records, so the standard rules, it's fair information practices that are in the bill, including access and correction work in that context.
By the way, everybody in this area other than the specific provider may have the same problem of I didn't make this diagnosis. If you come to me and ask me to change it, I can't. I don't know; I don't have any basis on which to question it. Go back to that provider. None of the bills requires anyone really to do anything other than to say, well, if you disagree with what is in our record, we'll make a note of that, and that's about it. Go back to the provider.
The problem in designing this is that the entities that we are talking about are not singular. I mean providers or insurers use other people to perform other functions. Some of this is quite routine. A provider may have an outside counsel who is not engaged in the provision of health care, but is still an integral part of that provider's activity.
They may have an outside accountant doing the same thing. It's all part of the services. Here we are dealing with an area where we have outside parties performing a variety of essential functions that grow out of the relationship between the patient and the trustee, be it an insurer or provider, and there are all these support groups.
The question is, which of these groups sort of are independently trustees, and which ones are effectively agents of people who are trustees? This is where it gets very complicated.
The traditional language used here is agency in the legal sense of somebody's agent. The Condit bill tries to get away from that just to avoid the baggage of it, not that there is necessarily anything the matter with it, and uses the term "affiliated person." It says that a health information trustee can have an affiliated person, an agent, a lawyer, an accountant, a processor, a communications company. It could be a moving company. It could be a cleaning company.
It could be anyone who is performing any of the myriad services that somebody needs to perform to function in the real world. It makes no sense -- and this is the point that you have made, and I think it is correct -- for all of these people to be independently treated as trustees, and have all of the obligations under the bill, including most specifically providing access and correction services.
Consider the moving company that is moving records from one provider location to another. That obviously makes no sense for that provider, during the period of time they have possession of the records, or a storage company that is doing nothing but storing boxes, to have to deal with these kinds of questions.
The concept in the Condit bill is that someone who is an affiliated person, or who is an agent, who is not independently with respect to the patient, a trustee, that person is not a trustee; however, the person who is the trustee, the provider or the insurer, can determine what are the responsibilities that it has under the bill go along and travel down to the affiliated persons.
So for example, if you hire a moving company to move records, you might say, the moving company in your contract has an obligation to protect the security of the records while they are in your possession. The rest of the requirements of the bill make no sense, so those responsibilities, including providing access, remain with the provider.
If you want to see your record, you go to the provider. The provider recovers that record from the moving and storage company, and gives it to you.
This is one of the problems with your industry. I think the structure in the Condit bill, and the purpose of this, just to make it really clear, is to say the health industry can organize its affairs any way it sees fit. The privacy bill is not trying to tell people you must structure your activities and hire people in certain ways, to perform certain functions.
This is clearly well beyond the scope. You couldn't do it if you wanted to, and there is no reason to even attempt to do it, but to say to the persons who are trustees, you can have whatever relationship you want with someone.
You allocate these responsibilities with people. So for example, the provider has someone processing claims. They can say to that claims processor, you have to protect security of information. You have to follow disclosure rules. You can only give this information to certain people, but we will take on the responsibility of dealing with patients and providing access and correction.
It's the same principle. It doesn't make any sense for that to flow downstream. In some cases, it may make sense for that to flow downstream. You may have somebody else who is performing a function on your behalf, who deals with a patient, or has the capability of doing this. You may be hiring outside firm to do some kind of lab work or special testing, and you want them to deal directly with the patient in some regards; I don't know.
Regardless, the policy here is let's make it as easy as possible for everyone to structure their activities, and to make sure that the patient's rights are protected, there is a responsible party who carries out those functions. It will be up to the parties themselves to allocate under the statutory scheme.
That's the idea. Now the Bennett bill, at least in later drafts, tries to deal with this a little better, talking about agents and the Condit language isn't important. It's the concept here. Ultimately, language will be important, about whether it has really defined everybody's responsibilities properly.
Does that structure make sense to you? Does that sound like it works, at least in broad principle?
MS. SCOTT: In broad principle that was exactly -- because as you indicated, when the Bennett bill first came out, that jumped out to us. While we weren't defined as a trustee, we basically had all the responsibilities of the trustee, and then all these other burdens came into play, and we saw the whole house of cards collapsing under the weight of those.
As you say, the later versions did start to try to address that, and we were still working on that. So that I apologize in the sense that I have probably given the Condit bill one good reading so far this year, and haven't really gotten into it and studied it. I did focus on the affiliated persons section, and I think that we are hitting that concept.
If we entered into a contract -- I could enter into a contract for example, to store a provider's data. I will maintain it for that provider. Part of my responsibility could very well be, to be able to do searches of that data to find specific transactions that might be the subject of a correction or disclosure or whatever authorization.
To that extent, I have taken on some of the responsibilities of that trustee, but I am not the trustee, and I have done it via contract mechanism between the trading partner relationship. I see that as being very flexible, and yet meeting the needs, if we do it right, if we say it right.
MR. GELLMAN: Mr. Burleigh, does that idea sound like it works for you?
MR. BURLEIGH: Conceptually, yes. When I was reading the bill, and in my longer, written version addressed the concern that we have about the affiliated person language, and that it could be read that those obligations extend to the affiliated person directly, rather than contractually or by delegation.
Either by revision of the language, or by clarification, if that is not intended, well, that diminishes our concern considerably. There are some other issues that go with that.
Again, hospital-based physicians traditionally have been the physician practices who most frequently use the services of billing companies. A radiologist has no reason to have a private office. An anesthesiologist doesn't have an address. Patients don't go there for anesthesia, they go to the hospital.
So those are the physicians who traditionally have used billing services, although that is now beginning to change, and now those with private practice are beginning to use billing services, because they are more efficient or more cost effective.
The physician in the hospital-based practice, which traditionally is anesthesia, radiology, pathology, emergency medicine, interpretive cardiology, interpretative pulmonology and some others, they don't have the record. In fact contractually, they don't even own the record. The record is the property of the institution where they practice.
So when you get into a discussion about the amendment or modification or change of the record, it is not even the physician's property whose bill is being disputed, or whose decision is being questioned. So it is even further complicated.
MR. GELLMAN: That's a good point. I think I'll have to pursue that when we have the providers. I'll have to talk about how they deal with that.
MR. GILLIGAN: One of the problems I see, and I'm going to come back to this dead horse again, and that is both the agent or contract concept in the affiliated person concept seem to connote a relationship between the provider trustee and a once removed agent or contractor. In our case, we have to have relationships with several different entities, and be able to disclose.
MR. GELLMAN: The question is, do fleas have fleas? Do affiliated persons have affiliated persons?
MR. BURLEIGH: Yes, they do.
MR. GELLMAN: Yes, I think that is clear. Anyway, I think that's a problem. I think that what we are getting at here is a level of detail that was not clear to the people who drafted this as it should have been.
MR. GILLIGAN: It is a level of detail that is a deal killer for us. Unless we have that authority --
MR. GELLMAN: I understand that. That's perfectly reasonable, it seems to me.
Before we started to talk about this, I just sort of viewed all of you as a lump, as sort of one kind of entity. Now I'm beginning to detect that maybe the billing people and the processors may be different, because you have described that you have a relationship at times with the patient. You deal with the patients.
I'm really uncertain of this -- does it take you out of the category of being an affiliated person to the provider. Can you explore more about what your relationship is with the patient?
MR. BURLEIGH: I have used a triangle as a way to diagram this. On one side of the triangle you have a doctor-patient relationship. On another side you have the doctor-agent, doctor-biller relationship. You have a patient-insurer relationship.
So you've got a doctor, a patient and an insurance company, and eliminating the biller, the patient owes the doctor money. The doctor may or may not accept the patient's insurance company as a substitute for direct payment. One of the comments I made was the physicians might decide, if this is too burdensome, to simply not do that anymore.
The physician may then hire someone to perform those billing functions. As part of that, especially today patients owe deductibles and co-payments and so forth. In order to get the claim paid, more information is often needed. We didn't get your Social Security number or the digits were transposed or some other error. We had trouble getting the claim paid.
We might have to get the patient involved in pursuing a disagreement with the insurer, who doesn't want to pay, and who should. So there is much more of a direct relationship. The patient never hires the biller. So we are hired by the provider or the hospital, the practice, whomever. So we're simply dealing with the patients on behalf of the provider who performed the services, and who is owed the money.
So it is not a bill collector per se, but it is in that same context. In fact, in looking at this we have even looked for or anticipated corollaries between the Fair Credit Reporting Act and this kind of privacy legislation. There are some, but not too many, because the information is much more subjective and factual in terms of did I pay my bills on time and so forth.
Some of the horror stories are still true. Somebody is branded as having HIV, when they don't and so forth. Lots of those things happen.
MR. GELLMAN: I'm not so sure that you are really any different than they are at this point now. It is at least an open question. I now have my doubts. You may fall right in the category, or you may be a new category all by yourselves. I mean that's one of the things that is not really clear.
Who pays for your services for your members? Who hires you?
MS. SCOTT: Basically, there is both ways. There are clearinghouses which are primarily clearinghouses for the benefit of payers. NEIC was a classic example of that, and when CIS originally creates its clearinghouse, our customers were the providers, hospitals and doctors.
Today there is increasing recognition that clearinghouses may end up working with both ends of the spectrum, and there is some payment that comes from the payers now, if you are going directly to the payer, trying to eliminate a couple of these steps in here, so that maybe you go straight to the payer from the clearinghouse, rather than through one of their connecting points.
MR. GELLMAN: If you can bill both parties.
MS. SCOTT: It's wonderful, Bob. What do you think we're in this business for?
MR. BURLEIGH: We only get paid by the provider.
MR. GELLMAN: You're in the wrong industry.
MS. SCOTT: Unfortunately, there is a lot of price pressure that has come down, and of course it depends on the services that are being provided.
MR. GELLMAN: Let me go back to the consent issue. I'm not pushing patient consent here. I asked you that question, because I wanted the answer on the record. I think what you said about that makes perfect sense.
The traditional model of patient authorization is patients authorize all disclosures. The Condit bill moves away from that, and it says disclosures for payment and treatment -- but in this case we are really only talking about payment -- are assumed. The statute says a provider or an insurer can disclose information pursuant to the payment process, unless the patient has objected; the patient who comes in and says, I want to pay cash, something like that.
There is an out for patients that need it, that basically says we don't need patient consent for payment in part because most of the patients have no choice. The other part is because of the complexity of the system. It's almost impossible to expect -- and you described this well -- because of the complexity, to even describe to patients what is happening. You can't even tell what is happening up front.
Does that model sound useful to you, of not bothering with patient consent, except in cases -- those presumably rare cases -- where patients have some special interest that needs to be taken into account? That all of these disclosures can be authorized in the statute without the need for patient consent? Is that attractive?
MR. BURLEIGH: I think that is a much more practical approach.
MS. SCOTT: I think it recognizes what probably is happening in practice anyway. You have such a generalized authorization today, and it has worked. The system has worked. This has developed. I think that we don't want to do anything that would unnecessarily burden the system that has been put into place. So it does have an attraction, and I think you then define your exceptions right there, having a blanket authorization. Rather than trying to identify everything that should be allowable, allow everything and pull out what you can't do.
MR. GELLMAN: I asked the insurers this morning a question of whether they actually see -- I go to my doctor, I sign an authorization, do the insurers see that? They said, no. Of course you never see it, because everything is flowing electronically, at least to a greater extent.
MR. BURLEIGH: They would never see it. Some of our members see it; more of them don't than do, and rely on the fact that it exists, even when it doesn't. That's actually a problem now, because the Office of the Inspector General for Medicare, doing its own field investigations is now calling for proof that a provider had written permission, even though it may have been implicit, and the patient if asked would have said, well, sure that's okay, but there is no physical proof, and therefore saying that's a fraudulent claim, because you didn't have written evidence that the patient gave informed consent.
Medicare patients by their nature, are often not competent to give that consent. Now you have complicated yet another level by getting the family member or guardian. Do we want legal proof, and do we want copies of documentation to show that I'm the medical custodian and so on?
MR. GELLMAN: You touch on another issue that I don't really want to get into here, but I was at a conference in Sweden and there was a Swedish doctor on the panel. He was talking about the problems of consent. He said, your average patient may be an 83 year old woman with multiple physical problems and some degree of dementia. All of these fine distinctions about consent are lost in these circumstances, and I think there is a reality to that.
Jeanne?
MS. SCOTT: The only thing I would add is that maybe in terms of our relationships with our provider customers is that partly as a result of the emphasis on these issues in the last couple of years, we have revised our contract that we entered into with our customers.
We have a provision that says one of the obligations of the provider is to have the consent of the patients involved. That is their duty. We don't inspect that they are meeting that or anything, but we now have a specific statement in there that they have a duty to get this consent.
MR. BURLEIGH: We have done the same thing.
MS. SCOTT: So it's one of their obligations. It wasn't always clear before, and I think it was implied all the time, but we now impose it in writing.
MR. GELLMAN: Let's move on to another issue. I want to get back into some of these circles and oblongs, ovals, whatever. Can you describe more the functions that processors are performing? Are we just transmitting things from here to there? Does it involve looking at a claim and making some substantive decision about it based on what is inside the claim, rather than looking for an address? What is going on?
MR. GILLIGAN: Basically, a value-added network is a telephonic communication or even by satellite communication of claims or transactions within what they call an envelope. When it gets to a clearinghouse or a practice management organization, they open that envelope. One of the things they do is they sort the claims by which payer they go to, and then they electronically reformat those claims into the format required by the payer.
Prior to doing that they may review the claim, and run it through the front end edits and audits that the payer requires, to make sure the claim is what is called "clean."
MR. GELLMAN: So it might be rejected at that point?
MR. GILLIGAN: Yes.
MS. SCOTT: It often enough is.
MR. GILLIGAN: Now sometimes that function of edit checking is done by the hospital's billing office, the provider's billing office, with software supplied by the clearinghouse. In other clearinghouses it comes to the central location, and the edit checking is done there, where the function is performed.
MS. SCOTT: In our case for example, we have approximately 15,000 edits built into the software. These are edits that are given to us by the various payers, 1,300 different payers that we have. There is a certain set of them that could be described almost as generic, that 98 percent of all payers require these edits. They have improved over the years. They are getting a little finer.
The claim or the information, be it an encounter or an actual claim, will drop from the hospital, in the case of the hospital mainframe HI system or from the physician practice management system into our software, where it is then run against these edits. This can be done on site, and most of it is done at the provider's site.
In the case of some of the smaller providers, it is now done in what we call our central business office, so it does come across the lines just the way it came out of the thing, a raw claim so to speak. It gets edited, as Tom said, either there or at the central business office, but probably 95 percent of it is done at the provider site. It hasn't even left the provider yet. It is being run against those edits.
In the course of a typical run through, say in a hospital that drops down from its outpatient department, a couple of thousand claims might drop down on that, we would maybe 50 that have an error. It depends on the HI system; some of them are better than others in how they produce it.
It used to be if that we ran 30-40 percent were errored. Now it is probably down to only 5 or 6 percent that get errored in a typical transaction, because we work with the hospital's HI system. When we find an error constantly coming through, they correct the system. It's an ongoing self quality improvement.
These might just be missing digits, a four digit zip code instead five, and some want nine now, and you've got to get all the information.
They are highlighted on the screen and the biller would then use that system to make the correction or find the information that is needed. So that when it comes to the clearinghouse, and actually gets into that transaction, we are finding now that it is 99.96 percent. As someone said 0.04 percent of a couple billion claims is still a lot of claims that end up getting bounced around out there sometimes, because the error didn't detected.
We are getting it down to that level. Depending on now whether this is a real time, on-line type of thing, or whether it is a batch transaction, they are sent off. We are using both processes now as we go forward.
MR. GELLMAN: Mr. Burleigh, do you have anything to add?
MR. BURLEIGH: The information systems the billers use are much more numerous. Hospital system vendors, probably less than 10 "name brand" systems would you find most of the time. In our side of the industry, on the physician side it is several thousand. Many of the largest billers write their own software, lacking something that they find commercially suitable. Some of them have very sophisticated edits; some have none at all.
There are companion software packages available that will do some amount of screening or grooming of claims. A number of packages are on the market now for coding specifically. There is CPT and diagnosis coding, that include the Medicare correct coding initiative that some of you may know about.
Medicare has 40,000 or 50,000 edits that they have now established as the Medicare standard, and some of these packages include that, which only conditions the claim for the coding portion. As Jeanne said, if we don't have a date of birth, some of the billing software will not permit the claim to go through to be issued. Others will just default it, and in some cases the insurer is going to pay it anyway, and in others they won't. That then becomes payer suicide.
MR. GILLIGAN: Bob, there is also in this mix of organizations what is called practice management systems companies, who also belong to our organization, and probably also belong to Mr. Burleigh's. They do extensive or can do extensive analysis of claims to service the physician, and get into essentially managing the doctor's practice him, or can.
MR. GELLMAN: Is this an activity that is highly dependent on identifiable records, or is it more --
MR. GILLIGAN: Oh, yes. I don't know to what extent let's say during analysis, is involved using identifiable claims, but it is all done electronically. So what comes out of that kind of analysis is aggregate data.
MR. GELLMAN: They are not helping the doctor decide what to do with one patient. It's helping the doctor reorient his practice to whatever standards there are.
MR. GILLIGAN: That's right.
MR. BURLEIGH: It is not patient-specific. Let me add though, that some of these software companies -- most of the ones we are describing here are what I refer to as the high end source. These are systems that typically cost $50,000-100,000, up to $250,000 for the software. Marcus Welby does not buy these systems.
This is not Dr. Smith practicing solo, and that's an issue, because to assume that every practice in America is automated today is not true yet. I kind of refer to it is I have the bifocal factor. There are physicians, say over 50, who are resisting automation. So there is still a lot of paper around.
I mention in our material that more than 50 percent of our claims are submitted electronically, but not more than 60.
MS. SCOTT: Increasingly we are seeing them -- to get back to them being patient identifiable -- we have search engines and the like, as you do get into group practices, MCOs and hospitals have been buying physician practices and creating their own networks, and the like. So that a patient is likely to show up at a doctor's office or some sort of remote clinic facility that is part of a network, and they can call into a central database and get that data.
This is where we are starting to move beyond just the financial claim transaction, and getting into many other business applications. As I said at the outset, that's where the growth is. From the hospital side, we have probably already got 99 percent of the claims being processed electronically. From the physician side it may be only 50 or 60 percent. We've got a lot of room for growth there.
That problem in a sense is a mere educational one to get doctors to use systems. The technology is already doing it. Where we are now moving is all of the other transactions. Clearinghouses and value-added network services are playing a role in those as well.
That is the area that is still very gray, and where they do use patient identifiable information, because we are developing various kinds of search mechanisms, database management system products and the like, so that Dr. Jones can pull up Dr. Smith and get the record all within the network of Mrs. Smith. As the patient shows up anywhere within that network, you can pull it down and get the information.
MR. FANNING: Those physicians are not otherwise connected?
MS. SCOTT: They are generally part of a network. They have either contracted and sold their practice. This is where it is developing today. Ultimately I think you can see this working where they would not be otherwise connected. I think where the systems exist doing that today, John, is where they are part of an existing network or contractual basis someplace.
We talk about it. It's not on the Internet. These are intra-net type systems that are coming out. Some of them aren't even intra-nets, they are just totally captive networks in the system. That exists today; what you just mentioned is where we moving. A totally unrelated doctor who is referring a patient to another doctor might be able to send the whole record over all electronically.
Now we are into telemedicine. Now we are really starting to get into the issues. This will involve personally identifiable information going through this network. We are not running away from that issue. I'm not trying to hide it. I'm trying to be as candid and as open as possible. That's why we know we need some solutions.
MR. GILLIGAN: Just for the record, all the transactions that we do all involve personally identifiable protected health information.
MR. GELLMAN: Jeanne, I understand you have to leave shortly?
MS. SCOTT: Yes, unfortunately I have a plane at 4:00 p.m., and I've got about maybe 10 more minutes I can be here.
MR. GELLMAN: I think this is probably as good a time as any to take a break. Tom you can stay?
MR. GILLIGAN: Yes.
MR. GELLMAN: We will reconvene at 2:50 p.m.
[Brief recess.]
MR. GELLMAN: Tom, what entry requirements exist within the claims processing industry? You talked about accreditation. Can anyone open up a shop as a claims processor that wanted to?
MR. GILLIGAN: Anybody. There are no entry requirements. I'm not sure there should be.
MR. GELLMAN: I'm not saying there should. Presumably the real entry barriers, you've got to get people to give you business. If you start off the Fly-By-Night Claims Processing Company, you have trouble attracting clientele.
MR. GILLIGAN: That's true. The corporations or the people that are involved in this electronic commerce go from organizations of such size like MasterCard and Visa, EDS, Computer Sciences Corporation, all the way down to people who have bought software from one of these practice management organizations, and then go around to doctors' offices, selling them on the business of letting them process their claims for them.
MR. GELLMAN: Mr. Burleigh, is the same for you?
MR. BURLEIGH: Well, yes it is. Traditionally, people going into the billing business have been practice employees. It's sort of an accidental profession. Someone working for a doctor decides to start his or her own business, possibly with that same doctor as a customer. Or it is someone who has worked for another billing company, who develops a relationship with a different practice, or even a former customer, and breaks off and starts their own company.
There has been extensive consolidation in our industry over the last five years. Benefits Corporation, which is one of our members, is publicly traded, and last year reported revenues of between $300-400 million, the bulk of that from billing for physician services. They got that big by buying up most of the top 20, and every year there was a new top 20, and they bought most of them.
So there is at the high end, publicly traded companies. There are still a lot of small mom and pops. In fact, the Better Business Bureaus in the United States are now reporting a consumer scam that you find in the classified section of newspapers and at some of the entrepreneur shows that for between $6,000-8,000 you can buy the magic software that will make you a biller.
It is sort of a mix of doing what our members do, and doing what the EDI industry does. It is viewed now by the Better Business Bureau as a scam, because people who buy it can't get any customers.
MR. GELLMAN: Right. Well, that may be encouraging.
MR. BURLEIGH: Maybe that a form of a compliment; the scamsters are after us.
MR. GELLMAN: Maybe.
Let's go back to the processing of claims. A claim starts somewhere, moves all the way through this complicated system, and gets to the insurer, gets to the payer. The payer says, I want more information. I want the rest of the record. What happens then? Does it go all the back through the system? Does the insurer go directly to the provider? How does that happen?
MR. GILLIGAN: The way it happens in our milieu is that the insurance company will notify the clearinghouse when it has received a claim, so it knows you have it. Then we maintain a claims status situation. After a period of time, if it is not paid, interrogatories go up the chain of command and find out why not, if they ask for more information.
That request will come back through us. How that request then goes forward from the provider to fulfill it is still being debated. I think standards are being developed for supplemental information. If you are talking about a whole record, you are probably talking about photocopying the thing and mailing it.
MR. GELLMAN: So it would be mailed directly from the provider to the insurer?
MR. GILLIGAN: It depends on what has been asked for.
MR. GELLMAN: If all the data were electronic, the request could go back through the food chain, and then back. All the data could go back up.
MR. GILLIGAN: If you had electronic medical records and standards for it that everybody agreed to, yes.
MR. GELLMAN: Is that the same experience with you?
MR. BURLEIGH: Well, to answer your original question, the answer is all of the above as far as who they make the request of. Ultimately, the only legal source to provide it would be the original provider. As to who receives and handles the request for the information, and who carries it out in terms of copying it or creating it and submitting it, it varies.
One of the problems that the industry has wrestled with for years is what we call attachments, because in the past they have been required in advance, don't bother sending us a claim without X and Y and Z attached, because it will just come back to you, so you send it in preemptively.
There are other times when the industry -- the insurance industry calls it developing a claim. We want more information. It is actually re-emerging as a factor, because of managed care; not because managed care is more diligent. We view it as a form of harassment that delays the payment process. You can stretch it out by asking for information that you know is going to satisfy your interest in the first place, but it adds a month to the cycle.
So the information comes back to the biller typically. The biller then has to have someone request the information from the provider, who may then send it directly to the insurance company, or turn it back over to the biller, who then submits it. The biller may send an employee to the practice office to make copies, or to the hospital in the case of hospital-based practices.
So it is all over the map. At the same time, if it is a hospital-based specialist, often the insurance company makes the request directly of the hospital, and the hospital fulfills the request.
MR. GELLMAN: I want to ask a question referring back to Tom's chart. When all this information is flying back and forth between all the players, is there anyone in between the provider and the payer who has got a file on John Smith, and has compiled all of the claims made by John Smith, and basically has what might be called a shadow medical record based on all the claims? Does that exist anywhere along here?
MR. GILLIGAN: I doubt it for our industry.
MR. GELLMAN: You doubt it?
MR. GILLIGAN: No. Typically, the value-added networks don't keep anything. You are just buying telephone time. The clearinghouses -- some retain data only for the length of time it takes for the payment to be made. Once the payment is made and it is no longer a live issue, they get rid of it. Others like Jeanne, keep it as one of the services.
In each case, to my knowledge, they all keep that data by client hospital, client doctor, so that if in the unlikely event a person showed up in Tulsa looking for all the information that CIS had on him, they would probably have to go through multiple clients to get all the information, multiple years. That would be absolutely prohibitively expensive.
MR. GELLMAN: How about for you?
MR. BURLEIGH: It would be likely that the biller would have basically a claims history. Now that is not a medical record. It would be what services you had from their customer base. If I have five physicians and only one of them hires XYZ biller, they would only know about Doctor 1, not Doctors 2-5.
MR. GELLMAN: Would they have the information filed for that doctor by patient, so that as I submit claims over the years, each claim goes into the same file?
MR. BURLEIGH: There are differences in data structure, but if the question was could someone who was inquisitive about a patient discover a claim history about that patient, meaning service dates, what services were performed at least by code number, and what the diagnosis was, the answer would be yes.
There is another dimension that we haven't talked about yet. There are billers with increasing frequency who are being asked to do coding, that is CPT coding. I will explain that if I need to; if everyone knows what a CPT code is, we can save some time. The coding process has become dangerous; because of the OIG's enforcement efforts, providers are extremely nervous, cautious, afraid of the coding process, and are now looking for someone to whom they can delegate it, who is, they hope, more professional.
Our members, many of them, have been coding for years, and in certain specialties in particular, coding is an expected part of the service. In order to do that, you have to have a copy -- never the original -- but a copy of the original record.
Say for example in emergency medicine, my last emergency room visit, the biller would get a copy of the physician's chart A to Z, a whole page or three pages, whatever, in order for the company to actually evaluate and code, assign the CPT codes for a period long enough to make sure that we have it, so that we can answer the request for a copy; should one be sent, the biller would keep that.
Now some of them are getting them electronically now, so they can store them on disk and keep them for long periods of time. There are even now companies who, as a value-added service to their customer, are doing data abstract. The reason being that when a managed care company wants to negotiate a contract with a practice, a specialty in a community, the insurance company, having paid lots and lots of claims, knows more about the provider than the provider knows about themselves.
So the biller says, well, we will gather and store all that information. We can profile the patient population you have served. Now we are armed with the same data that the insurance company is, so that we have a level playing field when we negotiate a contract.
So yes, in fact there are members who have that as a service at the request of the customer. It is still not the original.
MR. GELLMAN: Well, from the patient's perspective, that distinction may not make any difference.
MR. BURLEIGH: That's correct.
MR. FANNING: Could I just follow-up one thing on that. So if several physicians hired you to do that work, and a patient saw those several physicians, you could reassemble that patient's file there from the claims that passed through your hands?
MR. BURLEIGH: Yes.
MR. FANNING: But it would depend on that circumstance existing?
MR. BURLEIGH: That's right. As was mentioned earlier, with the advent of group networks, so-called PHOs, physician-hospital organizations, where large portions of the medical staff of an institution who practice in unrelated, legally separate components will use a central processor for claims submission, or will use common denominator methods of sharing information.
There are often passwords and protocols to make sure that I only pass my patient information to that physician who I have requested a consult from or something like that. The information is moving around in unanticipated ways in order to support the claim submission process or other aspects of the industry.
MR. GELLMAN: Well, I will just offer the comment without following up on it that as things become more electronic, you face the prospect that the claims stored in a cave in Tulsa may ultimately all be in some form in where information can be retrieved database style in any way you want.
At least it is conceivable at some point, and in your case where instead of getting an electronic copy of the record, you may be able to plug directly into the provider's computer system and have direct access to the information you need; just more and more connections being built, and more opportunities.
MR. BURLEIGH: Electronic medical records are more in the future than the present, but they will certainly come along in due course in the next five years in my opinion.
MR. GELLMAN: Anyway, that's just what we call progress.
Is processor data ever provided back to its source -- not just its source, to the providers or to the perhaps payers for a purpose other than just the payment of a specific claim. For example, might an insurer or a provider say, can you give me a list of the last 5,000 penicillin shots we have given? We want to know what they were for, and whether we are using penicillin effectively, or some kind of activity of that sort. Is that a request that comes to you, to your clients?
MR. GILLIGAN: Typically not. Well, I will put it this way, for clearinghouses, typically not; for practice management organizations, I don't know whether that takes place, but I'm certain that given the level of detail that they can go to, they are capable of it.
MR. BURLEIGH: Well, I do know, and the answer is, yes they are. It is dynamic of the service industry. Again, managed care being a more common issue, if a practice can represent itself to a managed care company as being more "cost effective," meaning we perform high cost services less often on a population, given a certain demographics, and we have found ways to deliver an outcome, which is another buzz word in the industry these days.
We can deliver appropriate or expected outcomes at lower cost, and we have done that by profiling our patients, giving immunizations when needed, and doing other things, being able to answer back that information to the practice is something that is asked of our members with increasing frequency. Not all of them are equipped to do that, but the request is coming up more often.
MR. GELLMAN: What about fraud investigators? Do they come to you asking for buckets of information to sift through? Is that something that is routine?
MR. BURLEIGH: Oh, yes. The OIG is actually tracking for the first time -- Medicare is now tracking who the billers are. In the past, that is something that HCFA was sort of anecdotally aware of, but didn't have any formal database. Starting last year, it is now a requirement that if a physician enrolling with Medicare for the first time, moving to a new area, or starting a practice requests a provider number and they are using a biller, you won't get your provider number unless you submit a copy of the contract with the biller, along with the application.
MR. GELLMAN: You guys work with IGs on fraud investigations?
MR. GILLIGAN: I have not heard that come up yet.
MR. GELLMAN: We sort of covered this, at least a little bit, but let me try it this again, just to see if you have anything to add. It is perfectly clear that we are dealing in an industry with lots of dynamism in terms of the way it is structuring itself, and it is changing all the time.
The legislation, if possible, needs to try and anticipate some of this, not in the terms of predicting exactly what is going to happen, but allowing enough flexibility so that you don't have a privacy bill that begins to prevent normal, efficient activities from going on.
How are your industries likely to develop in the future? Are there new services on the horizon that you are almost capable of offering, or being thought about or discussed that are going to involve the use and exploitation of individual patient information that you already have, or that you might get in the future?
MR. BURLEIGH: I think we, as an organization -- me, personally -- would be concerned about a biller in your terms "exploiting" individual information. That is basically a sacred document, without being too dramatic about it. This is a very privileged set of information. It doesn't belong to anyone but the patient, or in some states to the physician, and there are legal disputes there or differences. It is a matter of property. No one has a right to exploit the information.
In the hospital software industry, it is very common for the companies who are in the share data processing business -- let me make clear what I mean. There are a number of companies who provide a central data center for unrelated institutions. Shared Medical Systems is the largest software vendor in the United States. The name says it all. They have a data center. They serve 900 hospitals or more, and all of those hospitals process their information through that single data center.
Now some of that is clinical information. A lot of it is clinical information, lab results, x-ray reports and so forth, but it is shared information. So that information in their contract can be abstracted, meaning patient identification removed.
If the company wanted to take that information and sell it back to their entire client base, saying, well here is the aggregate for hospitals of this size; here is the aggregate for hospitals in this region; here is the aggregate for hospitals of this particular type -- pediatric hospitals versus maternity hospitals and so forth -- they have the legal right to do that under their contract, but it is quite explicit that it can't be patient specific.
So it exists in a way. I think everyone who pays attention to it understand the patient identification issue is one that is being -- it can't be violated.
MR. GELLMAN: Tom, any future speculations?
MR. GILLIGAN: All I can say is that our industry is shrinking in terms of numbers because of the consolidation, but growing exponentially in the kinds of services it offers, new transactions being brought on electronically for what used to be paper transactions all the time.
So we look forward to the administrative simplification bill that provides standards to make that who business a lot easier. We look forward to the privacy bill to help us in this area as well.
MR. GELLMAN: I am wondering if all legislation on some level is fairly similar in terms of structure -- there are a lot of substantive differences here and there, but it divides the world up into researchers and public health authorities and law enforcement people and oversight people and providers, and a growing category of institutions.
I'm beginning to wonder whether claims processing at some level, doesn't need to be defined perhaps as a separate kind of activity, rather than sort of slipped in as under this agency/affiliated person kind of structure. I just wonder if the first step in doing that --
MR. GILLIGAN: I have the same questions myself.
MR. GELLMAN: -- the first step in doing that is okay, but how do we define this activity? This isn't easy to define. This chart is a mess, but that's reality, but that's what it is. The question is, how do we define these functions? I'm not sure that I expect anyone to spout a definition, although I would be grateful if you did, but how do we approach doing that?
MR. BURLEIGH: Well, we did.
MR. GELLMAN: You have one for us?
MR. BURLEIGH: Yes. As part of the work that the association did with the Bennett bill, we actually have a term --
MR. GELLMAN: Is this in your statement?
MR. BURLEIGH: Yes.
MR. GELLMAN: Where is it?
MR. BURLEIGH: The term "originating provider," rather than trustee was a way for us to in effect back into clarifying that the originating provider is the author as it were, of the medical record. I think we had discussed coming up with another term, but the processor I think would serve the purpose, to say that there are any number of organizations.
One that we haven't talked about yet are medical transcription companies. You may have heard from them or you're going to --
MR. GELLMAN: We haven't, and we're not just because we don't have the time to get into that level of detail, notwithstanding the level of detail we're getting into today.
MR. BURLEIGH: Let me, on their behalf, just say that that's an industry also going through consolidation, and because of technology now, it's not unusual for a transcription company to be based in Atlanta, Georgia and a physician from anywhere in the United States dial an 800 number, dictate the record, have it transcribed in minutes, and have it transmitted electronically by modem back to a printer in the office, the hospital, or multiples of that.
Some of them now will even fax it to my personal physician. If it is a radiologist they will fax the original back to the radiologist for signature, and a copy to my physician, who is the one who ordered the test, and a copy to the biller, because there is an agency agreement that allows that.
By the way, the transcription company, because it is all electronic, has all of that information that it has transcribed, back to the beginning of time by patient, and again, value-added service, sells that back to their customers, saying we can profile your patients on key word searches, on diagnosis profiles, on ages and so forth, because it is your practice. It's information that you should have, but it is at the same time, patient specific.
MR. GELLMAN: Well, thanks for making life more complicated.
MR. BURLEIGH: Some of them do coding too.
MR. GELLMAN: Right. At least point I'm not the least surprised.
Anyway, if either of you -- I mean, I'm not really asking you guys to develop something, but it's something to think about, and it's something that may contribute to the debate -- to develop a definition of processing or maybe a different term.
Let me just say I haven't looked at your definition of originating provider.
MR. GILLIGAN: I share your concern. One of the questions I have in my mind, and I think I laid it out in the presentation I gave you is that with respect to using the term "agent to contract" or "affiliated person" do you include so many organizations of wide disparity, that while you are able to solve our problem, you have created a problem for somebody else?
I'm also asking myself, how unique is our method of operation or experience? Are we different from GIMS(?) or Gimeses(?) or what have you?
DR. DETMER: I hear you saying that you are a variety of things. In some instances, let's say you don't; in other instances, let's say you did. I think that the issue is that the difference probably ought to make a difference. Now how we define it, that's another issue. How many boxes you can lay out, that's another issue.
MR. GILLIGAN: That's right.
MR. GELLMAN: Part of it is getting all the facts out. Many the boxes, once you get all the facts out, will align themselves in some way that helps. Maybe it will just make it worse, but you've got to know what you are doing before you do it, although this is Washington.
In any event, just a comment. I haven't looked at your definition of originating provider, and maybe you have solved the problem, but my guess is that's just as difficult a concept as any of the rest of them. It's just not all that clear.
MR. BURLEIGH: We will take the opportunity to respond with a definition in the near future.
MR. GELLMAN: Anybody else?
DR. HARDING: I have one a little bit different. Somebody mentioned electronic commerce. Your transmissions go all over the place, as you said; across the country, around the bend.
MR. GILLIGAN: Increasingly that's the case.
DR. HARDING: Internationally. Do you get into any interstate problems?
MR. GILLIGAN: We will have a lot of interstate problems if this bill doesn't contain a strong state preemption clause with respect to privacy.
DR. HARDING: Right now are you in any interstate problem?
MR. GILLIGAN: I do not know, although some of these companies that do business nationally are very concerned about states starting to develop their own privacy laws. We do do business nationally. I will visit with you the whole subject you've got in here, civil action and criminal penalties. Our folks have two views on that, one of which is we are not going to violate any part of this law, therefore we really don't care about that kind of a concern.
DR. HARDING: But at the present time, you're not having any problem, especially with interstate issues?
MR. GILLIGAN: No.
DR. HARDING: Then why do you want that taken care of if it's not a problem?
MR. GILLIGAN: Because we don't want to have a problem with 50 different privacy laws. For instance, you might have in that chart that I showed, you might have a doctor in one state rendering care to a patient that lives in a different state, in a hospital in third state, with a value-added network. The payer is far distant, like let's say New York or someplace else, with the different clearinghouses getting involved.
The answer in different localities. The question is which state's privacy law applies? The answer is, they all do.
DR. HARDING: But you're doing that right now, and it's not a problem.
MR. GILLIGAN: We're doing that right now, because again, we're not disclosing information or abusing any of the privacy laws.
MR. GELLMAN: Let me answer the question. The way it works now is some states don't have laws, some states have piecemeal laws. Basically, I suspect that if we -- you're not the right person to ask this -- but if we went over the details, you would finally find somebody to say, we don't know what the state laws. We're just doing whatever we need to do, and they are not paying any attention.
MR. GILLIGAN: I wouldn't disagree with you at all.
MS. WARD: I would just add to that, from where I sit with other states and their health departments, there is a growing sense of needing new state laws. Everybody is waiting to see if we can get a federal law, but there will be without clearly the momentum in states from consumer groups and others -- will force 49 different more laws, because everyone is on the verge of passing, and now waiting to see if in fact we can have a national solution.
MR. BURLEIGH: In terms of our membership, we haven't encountered difficulties with respect to state privacy laws. Our experience, where there are differences state to state have more to do with the different payer requirements. Dealing with Medicare in one state is not like dealing with Medicare in a different state, or Medicaid or Blue Cross/Blue Shield. They are not generic in any way.
So it is more of a technical difference that you dance to a different tune when you cross a state line. If you do business in multiple states, and the average in our profile is 1.3 or so, so most of our members deal in more than one state. So there are technical differences, but not yet privacy issues.
Our concern would be that if there were 50 different privacy laws to comply with, it would make life much more difficult. I'm not sure I want to embrace a federal law either, but I think that would be a better choice than having multiple laws state to state.
MR. GELLMAN: Let's stick with the preemption issue for a minute. Right now I think just about every state has an AIDS law. Does that affect the way you process AIDS claims at all? If not, why not?
MR. GILLIGAN: Again, all I can say is we don't seem to be experiencing any difficulty with it. I have not heard about it. I'm sure I would have.
MR. GELLMAN: There is no special processing method for AIDS claims or any other kind of claims? All claims are processed in the same way?
MR. BURLEIGH: Essentially that's the case. Now billers who deal with laboratory services -- not all of them do -- some deal with commercial labs, and where they have knowledge of an HIV-positive test result, there are special protocols as to who has access to that information. Not all of those patients are seeking to have that claim paid by an insurance policy. So they may just pay for it direct, or it may be paid for by a state program.
So there are different ways that those claims get handled, but most of them are treated differently in terms of concentrating knowledge or access to that information in a more discrete way.
MR. GELLMAN: Well, if you are processing a bill for an AIDS test, you wouldn't necessarily have the result in any event. You would just have the billing code for the test.
MR. BURLEIGH: You have a diagnosis code, which is either positive or negative.
MR. GELLMAN: Okay.
MR. BURLEIGH: It's sort of radioactive knowledge.
MR. GELLMAN: If the test is positive and there is another step in the treatment process, it's going to become clear, no matter what.
Are any processing activities carried out in other countries? Is there any information that goes through networks or gets stored overseas? Are any of your companies owned by foreign companies? Is there anything that would prevent foreign companies from taking any of these functions and carrying on some of the overseas? I know some transcription activities go on overseas. What about the rest of it?
MR. BURLEIGH: I think transcription is the only one that we are aware of currently, where the storage or processing occurs outside of the borders of the United States. There are some companies who are in border communities, who have used foreign citizens to do data entry. El Paso is one where a lot of people cross the border every morning to keypunch information. Basically they are transmitting information that gets keypunched there, because the labor is cheap.
It wouldn't be difficult to imagine that that would be the next step on, and move to that foreign country, but it hasn't occurred yet. It certainly could.
MR. GILLIGAN: I don't know one way or the other, but given the size of some of the companies in our membership, and the fact that they do do business internationally -- I'm talking now like EDS, Computer Sciences Corporation -- I do not know to what extent they process United States information overseas or if any that information is held.
MR. GELLMAN: I just want to run down sort of a list --
MR. GILLIGAN: Before you leave preemption though, in reading the Condit bill, I saw in there an exemption from the state preemption for state health --
MR. GELLMAN: The public health laws?
MR. GILLIGAN: No, not the public laws. It seemed to be state health programs. I was wondering whether that applied to things like Medicaid and the state and local employees' health insurance? If so, that cuts a big hole.
MR. GELLMAN: We'll have to talk about this later. I'm not sure that there is anything in there that creates that major problem. It's not worth exploring right now. It will take too long.
I want to go back to the liability issue. Several of the bills substitute in effect, a statutory scheme of civil liability for confidentiality violations, and in place of civil, any common law remedies that exist, and expressly wipe out any common law confidentiality remedies that might exist. I wonder how you feel about that, if that is an important element of this? If common law and statutory liability can reside side-by-side? I just want to know if this is a concern?
MR. GILLIGAN: I can't answer the question of common law, statutory law. I can address the issue of civil penalties and civil actions. I think you might want to pay attention to what constitutes a violation when it comes down to assessing civil penalties. Is a data element on a transaction? Is it a transaction? Is it all the transactions of a particular type in an investigation? Or is it all the transactions of any type in an investigation?
That has to do a great deal with the level at which you would set dollar penalties. In an electronic world, one mistaken stroke of the enter key, and you have really created some serious problems for yourself over a large number of claims or what have you, in a matter of a keystroke.
Some experiences with the IG have gone back under fraud and abuse, when assessing civil monetary penalties, would say well, doctor, you miscoded this claim, and you have consistently miscoded it over the past three years. Each one of those violations is a $2,000 civil penalty. You know owe us $875,000. Would you settle for $400,000? Hey, I would hope that we could avoid that kind of experience in this area.
MR. GELLMAN: I think that's a good point. One thing that was relatively carefully done in the Condit bill, whether it is adequate or not I don't know, but in terms of civil liability, people are entitled to actual damages. They are only entitled to minimum statutory damages in cases of a knowing violation, so that there was a pure distinction.
So that you accidently hit a keystroke, and 100,000 records go somewhere, if they can prove that they were damaged, they get it. Otherwise, unless there is some knowing attempt here, the attraction is to get attorney's fees and minimum damages, because it is always hard to prove damages.
MR. GILLIGAN: I am referring right now to the civil penalties.
MR. GELLMAN: There is nothing that specific in any of the bills, so I think that is a legitimate concern.
MR. GILLIGAN: The other thing you might want to take a look at is the setting of a cap on the penalties. You won't fee anybody any more than either a dollar amount, or some percentage of their gross business or something, so that you don't drive people out of business by this.
They should be penalized, and maybe at some point in time if a pattern of practice is established, then you might want to exclude them from the program, but you don't want to drive them out of business the first time out with a very large dollar penalty.
MR. GELLMAN: Well, that's an issue of sort of general political significance that I'm sure will get visited at some point later in the process.
Do you have thoughts on the liability?
MR. BURLEIGH: Yes, we didn't comment on that in our written material, because it appeared that this was more of a consumer advocacy type of bill, and that the remedies were going to be civil rather than otherwise, regulatory.
One of the concerns that we would have it if were different is that the plaintiff's bar, being ever vigilant for opportunity, would take off on this as they have with the Fair Collection Practices Act, with the ENTALA(?) COBRA regulations where over the river in Virginia there are more successful suits, because they now have a cap on tort liability.
They are suing under ENTALA, because they can get double damages. One of the concerns would be that this remain more or less the way its been drafted, so that it is more of a consumer responsibility to show damages in order to recover, rather than something else.
MR. GELLMAN: You may be sorry you said that. You give me some good ideas, but the point is well taken.
I just want to ask a couple of other questions to sort of fill out the gap. I'm asking about other uses of records that you have. Do you have any legal obligations or practices to report any patient information to public health authorities?
MR. GILLIGAN: I don't know. I think the public health -- to my knowledge the public health data is a totally different channel.
MR. GELLMAN: That's my understanding. I'm just sort of going through some basic issues here, just to make sure.
MR. BURLEIGH: We couldn't do that unless it was an assignment hired by the provider. If they hired us to do that for them, we would. I'm not even aware of anyone doing that.
MR. GELLMAN: What about giving information to health researchers? This is not done?
MR. GILLIGAN: No, it's not done.
MR. GELLMAN: You clearly have a wealth of useful information.
MR. GILLIGAN: I think that is something that might happen in the future, because with us, especially with clearinghouses with the hospitals they have, they have all the claims data for that entity, Medicare, Medicaid, the private insurance, whatever. They have all the data.
I have just been reading some stuff in -- the American Health Research Association has a journal, and one of the articles they put out just this last issue was dealing with measure and outcomes data, and predictability. Say if you only used Medicare data, you get this level of predictability, but if you use all data, you get a higher level of predictability for outcomes.
MR. BURLEIGH: I think in our case since we don't own the data, we would have to have the client's instructions -- not just permission, but instructions -- to do that. If it was not patient-specific, if it was just generic, I think most of the time most billers have anecdotal information about a community, because they are supporting a practice or a specialty or 16 specialties, but not broad enough for epidemiology work to be done.
There are a few medical schools who have "outsourced," meaning they have hired a biller to process all the claims for the entire medical school, and that is relatively recent. So they might have a bigger population to draw from, but in general, no.
MR. GELLMAN: What about --
MR. GILLIGAN: It depends on what you call research.
MR. GELLMAN: That was my next question.
MR. GILLIGAN: What practice management systems can do for a doctor can amount to research.
MR. GELLMAN: Right. Well, I was going to say well, if it's not traditional epidemiological research aiming at journals, we've got cost containment activities or practice management or what have you. It may not be distinguishable.
MR. GILLIGAN: As he alluded to earlier, with the purchase of managed care, and having to deliver care at a more cost effective manner, these doctors and hospitals are going to know a lot more about how their operations work than they have in the past.
MR. GELLMAN: But this kind of activity that you have described is work that your associations, your organizations do themselves.
MR. GILLIGAN: Some can; like the practice management organizations probably would routinely do that for their doctors. Clearinghouses probably would not do that for their hospitals.
MR. GELLMAN: But the practice management organizations already have access to the data.
MR. GILLIGAN: Right.
MR. GELLMAN: They don't have to disclose it to somebody else to get the work done. A disclosure is a pretty steep threshold under the bill, and that's why I'm asking about this.
MR. GILLIGAN: That's right.
MR. BURLEIGH: I think that one of the contrasts in the EDI industry is that they have a pipeline. The information is in it for a while, but not over a long period. Our members have the information in their custody and intend to keep it, because of the liability that their customers have to pay back money to Medicare or other things like that, as well as because they have been asked, because the practice wants to do its own internal research.
Since it is part of the doctor's practice, I think one would expect that a physician can look internally to profile his or her patients to learn more about their own effectiveness, or learn how to anticipate what would happen if they engaged in a contract in a certain way. So I guess if you take the universal definition of research, you say, yes, there is some research. I first took that to mean more clinical or epidemiology, and i think that's a different thing.
MR. GELLMAN: Mr. Burleigh, assume one of your members is processing bills from several different doctors, and discovers that a patient has got duplicate prescriptions for narcotics from a variety of doctors in a pattern that suggests some kind of abuse. Is this something that would come to anyone's attention in the ordinary course of business? If so, what would you do with the information?
MR. BURLEIGH: It probably would not. Most patients get their prescriptions filled at a pharmacy, and very few of our members bill for pharmacies. Pharmacies generally do their own. There are states where it is a little more common that a physician might fill a prescription in the office; some states allow that, some don't. In that case, they might be prescribing a controlled substance.
Again, there is a contractual relationship between Practice A, B, C and D and the biller, each of them independent. They typically keep them in separate databases. The staff that would handle Practice A, would probably not know about Practice B, C, D and E, and certainly would not be paying attention to individual patients.
So unless a law enforcement agency asked them to do that, and have the authority to require it, I can't imagine that that would be something that they would develop on their own.
MR. GILLIGAN: State Medicaid programs uniformly have that capability, at least I believe so. They are required to by the MMIS system, which is a standard. It does keep profiles on individuals, and can get it down to drugs and what have you.
Pharmacy benefit managers, like prescription card services can do that for the drug benefit. They also do things like interaction. They keep a file of the drugs you have been prescribed, and they can come back and say, okay you have been prescribed this new drug, but if you take it you're going to have a heart reaction, because you are taking some other drugs.
MR. FANNING: Can I just follow-up on this? You said your members wouldn't in the normal course of business do that analysis, but could do it if a law enforcement --
MR. BURLEIGH: That assumes they had the information.
MR. FANNING: Yes, assuming they did. Has it occurred that law enforcement agencies have come to outfits like your members and said I want information on this patient or that patient?
MR. BURLEIGH: Not to my knowledge.
MR. FANNING: No, okay.
MR. BURLEIGH: They would go to the provider, since the original record is in the provider's hands, and not the biller's.
MR. FANNING: The kind of example in the question was one that would be more easily detected by a place in which many records from several providers about the same patient were assembled.
MR. BURLEIGH: I'm not aware of that happening.
MS. WARD: Thinking of the broader context of what we are supposed to be doing, do you think having greater standardization, so that there might be one electronic format for transmitting claims, I understand lots of the benefit. Is there any benefit to privacy and security by having that level of standardization?
MR. GILLIGAN: I really couldn't speak to that. I don't know.
MR. BURLEIGH: You've described the Holy Grail. In our part of the industry it's everyone's dream to have 1 data set, rather than 150 data sets. HCFA has been working on that for years, and we are getting ever closer. We are 10 years closer than we were 10 years ago, but we're not there.
I don't know when it will happen. My feeling is it's pretty close, but every time we think it is closer, the whole story changes, because managed care twisted it a half a turn because of information they need or want to have, or require of a provider that was never asked for in the past.
So I think it is going to be a flowing pursuit. It would be a nice thing. I don't know if this is the bill to achieve that. It would probably take many more years to implement it if that was a requirement.
MR. GILLIGAN: Just to add a little bit to that. When the Administrative Simplification Bill first came out, one of the convention wisdoms that was operating up on Capitol Hill and elsewhere was as soon as you have a standard format, standard data elements, standard transactions, then there is no need for the clearinghouses and the value-added networks. Everybody will just die on the vine, and all the providers will do direct business with the payers.
Our industry absolutely loves the idea of standards, and we worked hard to get that bill passed. Because of the ability to manipulate the data, you may be able to improve security, and having standards will help that.
MR. BURLEIGH: I made reference to that in some of my written material about ANSI standards, where there is a whole catalogue of common data sets and transaction protocols for claims submission, payment transactions and a host of others. So there is some degree of standardization, but not all payers use it.
In fact, to some degree the trend is flowing backwards, because managed care companies start business, and are very slow to go to electronic claims, so that patients who used to have an insurer who was electronic, are now insured by someone who isn't. So it is actually going backwards, temporarily we hope.
DR. HARDING: Do you all have any self-policing group within your organizations?
MR. BURLEIGH: No.
DR. HARDING: No ethical committees? There are always the rogues in every group, and how do you deal with that?
MR. BURLEIGH: I chair the ethics and compliance committee for the association. This has been a matter of controversy since the organization began. The big problem is we have no method of enforcement. We can eject a member, we can revoke their membership, but because they are private companies, our ability to investigate and adjudicate them is problematic. So essentially we have no means of enforcement.
DR. HARDING: Have you ever revoked somebody's membership?
MR. BURLEIGH: Except for not paying dues.
MR. GILLIGAN: We don't have a committee like that. We did set up an accreditation program, and you have to go through that accreditation program every two years. That accreditation program is now an entirely separate entity, no longer having any relationship to our association. We did it that way, because we just wanted it to be absolutely no appearance of conflict of interest.
MR. GELLMAN: Last topic, do you have any views on the issue of health identifiers, whether it is Social Security number or something else? Is this something that makes a difference to your industry? Tom?
MR. GILLIGAN: For us, we are going to take the position that we are going to service the providers and the payers. Whatever they want to use is fine with us. Depending upon what kind of identifier you have, you may have to change the record. I'm not sure anybody wants to go through that hassle anymore.
So as long as the new identifier or the Social Security number is used, and it fits within the record, it is immaterial to us.
MR. BURLEIGH: Convention is that the Social Security is the number to identify the patient. We have more problems with the provider identifying number, because it is somewhat fluid between different payers. So we may have a catalogue of 15 different numbers for Dr. X, depending on who the claim is going to.
The patient identification number never moves, it's the Social Security number, but who the doctor's identity is identified by is variable. Some of that is a technical problem, because of the proposed newest version of HCFA's identification number for providers. It may be too long for the data set that is embedded in some of the software, forcing the rewrite of the software.
If something were done with a patient identification number, where the patient had some sort of a UPIN number or a PIN number that they had to use in order to allow access, I think there would be as many technical issues as anything else.
MR. FANNING: Do I understand it that typically the Social Security number does appear on the claims you process?
MR. BURLEIGH: If you want to get paid, yes. The insurer has to know who you are, and that is typically the number they use. Now they have policy numbers, and some union plans use the union ID number, your badge number or your membership number. Big companies that are self-insured use their employee ID number, which may not be the Social Security number. Typically they triangulate with both. They usually want the Social Security number and the others, rather the other.
DR. DETMER: This morning one or maybe more people made the comment that in a way, whichever number you use will become essentially a discoverable number unless you've got good security systems anyway. How do you respond to that?
MR. BURLEIGH: I think that's true.
MR. GILLIGAN: Another aspect of this whole thing is there are a great deal of companies currently using the Social Security number; probably Medicare and Medicaid as well. For fraud and abuse kinds of concerns, they are going to build -- if you move to a new number -- they are going to have to build a bridge back, the insurance company, so that the IG or anybody else who wants to track it, to make sure that nobody is receiving more benefits than they should.
MR. SCANLON: Just to clarify, I think I heard you saying that along with the other standards that the new law holds out is the national provider identifier. I think you are saying that there are some technicalities that need to be worked out, but the concept of a national provider ID, a single one is something that clearly would help.
MR. GILLIGAN: Absolutely.
MR. BURLEIGH: Yes.
DR. SCHWARTZ: Just a specific technical question. Is it your understanding that currently the use of the Social Security number in software, that it doesn't matter where the Social Security number resides on any form or within the system, and it doesn't matter whether or not institutions might have filler fields in conjunction with it, like a string of zeroes or something like that? So there are no problems now?
MR. BURLEIGH: No, that has been worked out -- at least from our perspective -- years ago. Pretty much everybody expects the Social Security number. Some of the systems have allowed for extra digits -- well, Medicare spousal benefits, there is an alpha suffix, for Railroad Retirement there is a prefix, so there are some variables. That's generally been accounted for on the patient side.
MR. GILLIGAN: I don't have any knowledge in that area.
DR. SCHWARTZ: So you wouldn't expect if the Social Security number were used, there would be any requirements or need for organizations to reformat?
MR. BURLEIGH: No.
DR. DETMER: Just to follow-up on the provider number. You made a comment about the HCFA current --
MR. BURLEIGH: HCFA is reinventing the provider number again. They had a provider number, then they had a UPIN number, and now we have a super UPIN number. I think the latest date -- it's shifting periodically -- the newest we really mean it this time date is September of this year.
DR. DETMER: What are your reactions to trying to implement that?
MR. BURLEIGH: Oh, it's December. They changed it again.
DR. DETMER: As far as trying to implement if that came to pass.
MR. BURLEIGH: It will eventually.
DR. DETMER: I know, but will that be real problems for you or an asset?
MR. BURLEIGH: It's just another number. Again, it is a longer number this time, so I think some of the software that is a little older is going to have to be updated to stretch that data field out, but it's just a number. It identifies the provider, not the patient.
MR. GELLMAN: Okay, I'd like to thank both of you. It has been a very productive panel, and you have both been very helpful to the committee. I think we have all learned a lot. You have made everything more complicated for us, but I thank you anyway.
MR. GILLIGAN: Thank you for the opportunity.
MR. BURLEIGH: I appreciate being here.
MR. GELLMAN: This is the opportunity for public witnesses. We have no public witnesses, so we are adjourned until 9:00 a.m. tomorrow.
[Whereupon the meeting was recessed at 4:00 p.m., to reconvene the following day, Tuesday, February 4, 1997, at 9:00 a.m.]